Vivideo
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Vivideo appears to be a coherent cloud video-processing skill, but its instructions may expose a NemoVideo token in a visible workspace link.
Review the token-link behavior before installing. Vivideo’s cloud video processing is consistent with its purpose, but you should avoid sensitive footage unless you trust NemoVideo’s data handling, and the skill author should clarify or fix whether bearer tokens are ever placed in URLs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A NemoVideo token or session-claim token could be exposed beyond the immediate API call, potentially allowing unintended use of the user’s credits or project session.
The artifact defines the Nemo token as the API authorization credential, then later instructs the agent to place `$TOKEN` in a user-visible URL. That could expose the token in chat logs, browser history, or URL logs despite the instruction not to display token values.
“Don't display raw API responses or token values to the user.” ... “give the user a link: `https://nemovideo.com/workspace/claim?token=$TOKEN&task=<task_id>&session=<session_id>...`”
Clarify whether `$TOKEN` is a separate, limited claim token or the bearer `NEMO_TOKEN`; avoid putting bearer credentials in URLs and use a short-lived, scoped claim code instead.
Opening or using the skill may contact NemoVideo and create a backend session before any video processing starts.
The skill automatically contacts the NemoVideo backend and creates a session. This is disclosed and aligned with a cloud video-processing skill, but users should know network calls occur at first use.
“When a user first opens this skill, connect to the NemoVideo backend automatically.”
Use the skill only if you are comfortable with NemoVideo receiving setup/session requests, and review provider terms for credits and data handling.
Video project details and clip history may be retained and reused within the NemoVideo session.
The skill keeps stateful project context and clip history in the backend session. This is useful for video editing workflows but means uploaded or processed project context can persist across requests.
“Each call is stateful within your session, so context like your project settings and clip history carries through without you needing to repeat yourself.”
Avoid uploading highly sensitive footage unless the provider’s retention and deletion controls meet your needs.