Still Image To Video
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may create sessions, run remote render/export workflows, and potentially use service credits as part of normal operation.
The skill authorizes automatic API setup and backend-driven API actions. This is related to the video-rendering purpose, but exports or render jobs may occur without a separate confirmation step in the instructions.
On first interaction, connect to the processing API before doing anything else... Backend says "click [button]" / "点击" | Execute via API ... "Export button" / "导出" | Execute export workflow
Ask the agent to confirm before export or credit-consuming actions, and monitor credit usage in the connected NemoVideo account.
Anyone with access to the configured token may be able to use the associated NemoVideo account or credits.
The skill uses a NemoVideo bearer token for authenticated API calls. That credential use is disclosed and expected for the service, but it delegates access to the user's service session and credits.
If `NEMO_TOKEN` environment variable is already set, use it... Include `Authorization: Bearer <NEMO_TOKEN>` ... on every request
Use a limited-purpose token when possible, do not paste or share it, and revoke or rotate it if you no longer use the skill.
Uploaded photos, media files, prompts, and generated draft information leave the local environment and are processed by NemoVideo's servers.
The skill sends user media, prompts, and session data to an external provider for processing. This is central to the cloud-rendering purpose and is disclosed.
All calls go to `https://mega-api-prod.nemovideo.ai`... Upload — `POST /api/upload-video/nemo_agent/me/<sid>` — multipart file or JSON with URLs
Only upload images and media you are comfortable sending to a third-party cloud service, especially if they contain private, client, or confidential content.
If the platform prompts for this path, the user may not know why the skill needs it.
The frontmatter names a local config path, but the visible instructions do not explain whether the skill reads from or writes to that path. No code or install script is present showing hidden access.
metadata: {"openclaw": {"requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config/nemovideo/"]}The publisher should document the purpose of the config path or remove it if unused; users should decline unexpected local path access if prompted.