ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Converter Free

v1.0.0

convert video files into converted MP4 files with this skill. Works with AVI, MOV, MKV, WebM files up to 500MB. casual users and content creators use it for...

0· 38·0 current·0 all-time
by@roca-677
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the actions in SKILL.md (upload video, request conversion, download MP4). Requesting a NEMO_TOKEN is coherent for a cloud API. Minor inconsistency: the registry metadata at the top said 'required config paths: none' while the skill frontmatter references a config path (~/.config/nemovideo/) — this mismatch should be resolved.
Instruction Scope
Instructions direct the agent to create/use a bearer token, upload user video files to https://mega-api-prod.nemovideo.ai, stream SSE, and poll rendering endpoints — all expected for a remote conversion service. The skill also instructs reading its own YAML frontmatter and checking local install paths (e.g., ~/.clawhub/, ~/.cursor/) to set an attribution header; that requires filesystem checks beyond pure API calls. There are no instructions to read unrelated system credentials or arbitrary user files.
Install Mechanism
No install spec or downloaded code — instruction-only skill (lowest install risk). Nothing will be written to disk by an installer, but runtime will involve network calls and optional filesystem reads described above.
Credentials
Only one environment variable is declared (NEMO_TOKEN) which is appropriate for authenticating to the stated API. The frontmatter also references a config path (~/.config/nemovideo/) and the instruction to detect install path could read user filesystem; this is plausible for attribution but increases the scope of local access compared with a pure-API client.
Persistence & Privilege
The skill is not always-on, is user-invocable, and allows normal autonomous invocation. It only instructs saving session_id for in-progress jobs (expected) and does not request modification of other skills or system-wide settings.
Assessment
This skill will upload your video files to an external service (mega-api-prod.nemovideo.ai) and uses a NEMO_TOKEN (or generates a short-lived anonymous token) to do conversions. Before installing or using it: 1) Do not set a long-lived, highly-privileged secret in NEMO_TOKEN—prefer ephemeral/anonymous tokens when possible. 2) Verify you trust the destination domain and its privacy policy before uploading sensitive videos. 3) Note the skill may check local install/config paths to populate headers; if you prefer, run it in an environment without sensitive files or avoid granting it access to your home directory. 4) Confirm the metadata/configPath inconsistency with the publisher (registry vs SKILL.md). If any of these concerns are unacceptable, do not install or use the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk973b821w87z8v11cz7446pzx984ms2q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔄 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments