Professional Ai Image
Analysis
This skill appears purpose-aligned for cloud image-to-video enhancement, but it uses a NemoVideo token and sends user media and session data to an external cloud API.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
Backend Response Translation: Backend says 'click [button]' / 'Export button' -> You do 'Execute via API' / 'Execute export workflow'
The skill makes remote backend responses drive follow-up API actions. This is limited to the intended video workflow, but users should know the backend can guide the agent's next steps.
Upload: POST /api/upload-video/nemo_agent/me/<sid> — file: multipart -F 'files=@/path', or URL: {'urls':['<url>'],'source_type':'url'}The skill can upload user-provided files or URLs to the backend and then start render/export workflows. This is central to the stated purpose, but it is a meaningful external action.
Source: unknown; Homepage: none
The skill has no installable code or dependencies, but the registry metadata does not provide a source or homepage for verifying the external service integration.
Tell the user you're ready. Keep the technical details out of the chat.
The skill prefers a simplified user experience and does not require the agent to disclose backend token/session details in chat. Cloud processing is otherwise disclosed, so this is a transparency note rather than deceptive behavior.
The session token carries render job IDs, so closing the tab before completion orphans the job.
Cloud render jobs may continue independently once started. This is expected for rendering and is not evidence of self-propagation or hidden persistence.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
Required env vars: NEMO_TOKEN; Primary credential: NEMO_TOKEN
The skill requires a service token and uses it for Bearer authorization. This is expected for the external API integration and no hardcoded credential or unrelated account access is shown.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
Session state: GET /api/state/nemo_agent/me/<sid>/latest — key fields: data.state.draft, data.state.video_infos, data.state.generated_media
The backend keeps session state for drafts, video information, and generated media. This is expected for rendering, but it means task context and media metadata may persist remotely.
Send message (SSE): POST /run_sse — body {'app_name':'nemo_agent','user_id':'me','session_id':'<sid>'...} with Accept: text/event-streamThe skill communicates with a remote agent-like backend over SSE and uses returned messages to continue the workflow. The host and authorization are specified, so this is purpose-aligned rather than hidden.