ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Data Format Converter

v1.0.0

convert data files into converted data files with this skill. Works with CSV, JSON, XML, TXT files up to 200MB. developers, analysts, students use it for con...

0· 20·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the skill routes uploads to a Nemovideo render API and returns MP4/other formats. Requesting a NEMO_TOKEN for the backend is coherent. However the package has no homepage/source and the metadata declares a config path (~/.config/nemovideo/) that the SKILL.md does not clearly justify, which is a small mismatch.
Instruction Scope
SKILL.md limits behavior to connecting to the Nemovideo API (create session, upload file, run render, poll status, stream SSE). It instructs use of an env token or creating an anonymous token via the API. The instructions reference reading the skill's YAML frontmatter and detecting install path to set attribution headers — these are within scope for a skill that must set request headers and report its version. The skill does not instruct reading unrelated system files or unrelated credentials.
Install Mechanism
Instruction-only skill with no install spec and no bundled binaries or downloads — minimal on-disk footprint and lower install risk.
Credentials
Only one credential (NEMO_TOKEN) is required, which is appropriate for a third-party API. The metadata also lists a config path (~/.config/nemovideo/), but the runtime instructions do not explain why that path is required, creating a small proportionality question. The skill also offers to obtain an anonymous token automatically (network call) if NEMO_TOKEN is absent — expected but worth noting.
Persistence & Privilege
always:false and no install behavior that modifies other skills or system-wide settings. The skill can be invoked autonomously by the agent (default platform behavior) but there is no elevated 'always' privilege requested.
What to consider before installing
This skill appears to be a cloud conversion service that uploads your files to api.mega-api-prod.nemovideo.ai using a NEMO_TOKEN. Things to consider before installing or using it: - The skill’s source and homepage are missing; that reduces transparency — prefer services with clear provenance and privacy/terms pages. - The skill will make network requests to nemovideo.ai and will upload files (potentially up to 200MB). Do not send sensitive or regulated data unless you trust their service and privacy policy. - It will use NEMO_TOKEN if present or automatically request an anonymous token for you; if you must use it, consider a disposable token rather than a long-lived credential. - Metadata lists a config path (~/.config/nemovideo/) that isn't explained in the instructions — ask the author what that path is used for before granting file-system access. - Because this is an instruction-only skill that performs network I/O, consider running it in an environment where you can inspect outgoing requests or limit agent autonomy (require user confirmation) if you do not want the agent to call it without explicit permission. If you need higher assurance, request the author/publisher, a homepage/privacy policy, or an actual code bundle you can review; otherwise treat uploads as public to the service and avoid sensitive data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fbxkp1trm8zjfzwsjv6yvt584ppgd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔄 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments