ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Transcript Generator Free Online

v1.0.0

convert video files into text transcript file with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. students, content creators, journalists use...

0· 19·0 current·0 all-time
by@mhogan2013-9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Requiring a single backend credential (NEMO_TOKEN) is coherent with a cloud-based video processing service. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata shows no required config paths — this mismatch is an unexplained inconsistency.
!
Instruction Scope
The instructions direct the agent to automatically create an anonymous token (POST to mega-api-prod.nemovideo.ai) when NEMO_TOKEN is not present, and to 'connect ... automatically' on first open. They also instruct the agent not to display raw API responses or token values to the user. Automatic network calls and hidden handling of credentials without explicit user consent broaden the skill's scope beyond a simple 'upload-and-transcribe' helper and reduce transparency about what is transmitted.
Install Mechanism
No install spec or code files are present; the skill is instruction-only and therefore does not write new code to disk or pull executables. This is the lowest-risk install mechanism.
Credentials
Only NEMO_TOKEN is declared as required, which is proportionate for a service-backed transcription tool. However, SKILL.md implies use of a config directory and persistent session storage without those config paths being declared in the registry metadata. Also, the instruction to suppress showing the token to users means the skill will manage secrets without clear visibility or explicit permission.
!
Persistence & Privilege
The skill instructs storing a session_id and treats the returned anonymous token as NEMO_TOKEN (valid 7 days). It does not specify where session/token data should be stored (memory vs disk). The frontmatter includes a config path that suggests persistent storage (~/.config/nemovideo/), but the registry metadata omitted this. The combination of automatic token creation, hidden token handling, and ambiguous persistence is a privacy/persistence concern.
What to consider before installing
Before installing, consider these points: (1) This skill will communicate with mega-api-prod.nemovideo.ai and can create an anonymous API token automatically when first opened — ask the author to require explicit user consent before creating or using tokens. (2) Clarify where the skill stores session IDs and tokens (in-memory vs a file under ~/.config/nemovideo/). Persistent storage of tokens should be explicit and opt-in. (3) The SKILL.md tells the agent not to show raw API responses or token values — that reduces transparency; request a clear, auditable log of network activity or at least an explicit consent prompt. (4) Verify the third-party domain and privacy policy before uploading potentially sensitive videos, and ensure you are comfortable with 7-day tokens and possible data retention. If these questions are not answered satisfactorily, treat the skill as untrusted and avoid uploading private or sensitive media.

Like a lobster shell, security has layers — review code before you run it.

latestvk9785q4g0084m7v8jjkxqx81bx84zgey

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments