Prompt To Video Generator
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Prompts and uploaded documents may leave your environment and be processed by nemovideo.ai.
The skill explicitly sends user-provided prompts/files to an external cloud provider for video generation. This is expected for the stated purpose, but privacy/retention boundaries are not specified in the artifact.
Upload your text prompts (TXT, DOCX, PDF, plain text, up to 500MB) ... All calls go to `https://mega-api-prod.nemovideo.ai`.
Only upload prompts or files you are comfortable sending to the third-party video service; avoid confidential documents unless you trust the provider and its data handling.
The skill can act against the nemovideo.ai backend using the provided or anonymous token, including checking credits, uploading content, and exporting renders.
The skill requires or obtains a bearer token and uses it for authenticated requests to the video backend. This is purpose-aligned, with no evidence of unrelated token use or leakage.
`requires`: {"env": ["NEMO_TOKEN"]} ... Include `Authorization: Bearer <NEMO_TOKEN>` ... on every requestUse a dedicated token if possible, monitor credits/usage, and revoke or rotate the token if you no longer use the skill.
A backend response may cause the agent to continue editing or exporting through the API, potentially using service credits.
The skill tells the agent to treat backend GUI-style text as operational instructions and translate them into API calls. This is part of the integration design, but it means remote provider responses can drive actions inside the session.
Backend says | You do ... "click [button]" | Execute via API ... "Export button" | Execute export workflow
Ask the agent to confirm before export or other credit-consuming actions if cost or final output approval matters.
Generated drafts, uploaded media, and render job identifiers may persist in the remote service beyond a single chat turn.
The backend stores and reuses session, draft, media, and render-job state across requests. This is expected for a video editing/rendering workflow, but retention and cleanup controls are not described.
The `session_id` in the response is needed for all following requests ... State — ... current draft and media info ... closing the tab before completion orphans the job.
Avoid sensitive uploads and check whether the provider offers project deletion or session cleanup if you need to remove generated content.