Video To Mp4
Security checks across malware telemetry and agentic risk
Overview
This appears to be a disclosed cloud video-conversion skill, but it sends selected media to an external NemoVideo backend and uses a bearer token/session.
This skill is reasonable for converting videos if you are comfortable uploading them to NemoVideo’s cloud service. Avoid private or confidential media unless you trust that provider, keep the NEMO_TOKEN secret, and be aware that a backend session and render job may persist while processing completes.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Videos or media you provide may be uploaded to the NemoVideo cloud service for conversion or rendering.
The skill depends on sending user-selected media to an external cloud API for processing, which is expected for this purpose but important for users to notice.
"This tool takes your video files and runs video format conversion through a cloud rendering pipeline. You upload, describe what you want, and download the result."
Only upload files you are comfortable sending to that service, and avoid sensitive or confidential videos unless you trust the provider.
The agent will use a NemoVideo token to create sessions, check credits, upload media, and export results.
The skill uses a bearer token for the external provider. This is expected for the integration, and the artifacts do not show unrelated credential use or leakage.
"Every API call needs `Authorization: Bearer <NEMO_TOKEN>`"
Treat NEMO_TOKEN as a secret and revoke or rotate it if you no longer want this skill to access the service.
It may be harder to independently verify who maintains the skill or review provider documentation before uploading media.
The skill has limited provenance information even though it relies on an external backend. No executable install code is present, so this is a provenance note rather than a concern.
Source: unknown; Homepage: none
Use extra caution with private videos and verify the NemoVideo service separately if the files are sensitive.
Your conversion session and media project details may remain available to the backend while the job is active.
The backend maintains session state, draft information, and media metadata for the conversion workflow. This is purpose-aligned but means project context may persist during the session.
"Store the returned `session_id` for all subsequent requests" and "State — `GET /api/state/nemo_agent/me/<sid>/latest` — current draft and media info."
Do not send sensitive media unless you are comfortable with the provider handling session state and media metadata.
A render job might continue on the provider side even if you close the tab before it finishes.
Cloud render jobs may continue or become detached from the user interface if the session closes. This is disclosed and tied to user-initiated rendering, not hidden autonomous behavior.
"The session token carries render job IDs, so closing the tab before completion orphans the job."
Wait for exports to finish when possible, and monitor credits or job status if a conversion is interrupted.