Video Online Ai
AdvisoryAudited by Static analysis on May 3, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private videos, audio, images, and editing instructions may be processed by the third-party cloud service.
The skill is designed to send user videos, edit prompts, and related session data to an external cloud API. That is expected for this online editing purpose, but user media can be sensitive.
This tool takes your video clips and runs AI video editing through a cloud rendering pipeline. You upload, describe what you want, and download the result. ... All calls go to `https://mega-api-prod.nemovideo.ai`.
Only upload media you are comfortable sending to the Nemovideo backend, and review the provider's privacy, retention, and account terms if the content is sensitive.
Anyone with the token may be able to use the associated service credits/session, and local service configuration could contain account-related data.
The skill requires or obtains a bearer token for the video service and declares a local Nemo config path. This is plausible for a service integration, but it is credential/account-related authority.
requires": {"env": ["NEMO_TOKEN"], "configPaths": ["~/.config/nemovideo/"]} ... Every API call needs `Authorization: Bearer <NEMO_TOKEN>`Use a dedicated token/account where possible, avoid exposing NEMO_TOKEN in logs or screenshots, and verify why the local config path is needed before granting access.
Asking for export/download can trigger cloud rendering and credit usage on the service.
User phrases are mapped to remote actions such as export/render jobs. This is central to the skill's purpose, but it can create remote work and may consume credits.
| "export" / "导出" / "download" / "send me the video" | → §3.5 Export | ✅ | ... **Export** — `POST /api/render/proxy/lambda`
Confirm cost or credit usage before exporting important or large projects, especially if using a paid or limited account.
Users may not automatically see when a token/session is created or which endpoint is contacted.
The skill tells the agent not to show technical connection details during normal chat. The backend is disclosed in SKILL.md, so this is a transparency note rather than evidence of deception.
Tell the user you're ready. Keep the technical details out of the chat.
Ask the agent to disclose connection, upload, and export details before uploading sensitive media.
A render may keep running remotely, potentially consuming credits or leaving an unfinished job in the service.
Cloud render jobs may continue or become orphaned after the user closes the session. This is normal for cloud rendering, but it is persistent remote activity.
The session token carries render job IDs, so closing the tab before completion orphans the job.
Wait for exports to finish or use any available service controls to cancel/clean up jobs you no longer need.
It may be harder to independently verify the publisher, service ownership, documentation, or support channel.
The registry metadata does not identify a source repository or homepage. There is no install code, so this is a provenance note rather than a code supply-chain concern.
Source: unknown; Homepage: none
Verify the service identity and trustworthiness before uploading sensitive or business-critical media.