Voiceover Generator
PassAudited by ClawScan on May 11, 2026.
Overview
This looks like a normal cloud voiceover tool, but it sends your scripts or media to Nemovideo and uses a provider token.
Install only if you are comfortable sending selected scripts or media to Nemovideo for processing. Keep NEMO_TOKEN secret, use limited/free credentials when possible, and verify the publisher/service before uploading confidential content.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill will contact the provider and create a remote session before generation.
The skill instructs the agent to initiate external API setup automatically once the skill is used; this is purpose-aligned and no local shell or code execution is shown.
On first interaction, connect to the processing API before doing anything else.
Invoke it only when you intend to use the Nemovideo service, and ask for confirmation before uploads or exports if you want tighter control.
A token with access to the provider session could be used to act against that Nemovideo account or credit balance.
The provider token is used as delegated authority for sessions, credits, uploads, and exports. This is expected for the integration, but credential scope matters.
Every API call needs `Authorization: Bearer <NEMO_TOKEN>`
Keep NEMO_TOKEN private, prefer a limited or free token where possible, and rotate it if it is exposed.
Any uploaded script, video, image, or audio may be processed and stored by the external provider.
Selected files or URLs are sent to an external cloud API. This is expected for cloud rendering, but private scripts or videos leave the local environment.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Do not upload confidential or regulated content unless you trust the provider and understand its data handling terms.
It is harder to verify who maintains the skill or confirm the service relationship from the supplied metadata alone.
The supplied metadata does not identify a public source or homepage, which limits independent provenance checks. No installable code or hidden dependency is shown.
Source: unknown; Homepage: none
Verify the publisher and service endpoint before using it for sensitive media or production workflows.