Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Easy Video To Text Converter
v1.0.0content creators, students, marketers convert video files into transcribed text files using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on c...
⭐ 0· 25·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to transcribe videos via a cloud backend and its runtime instructions call APIs on mega-api-prod.nemovideo.ai to create sessions, upload files, and render outputs — this is consistent with a cloud video-to-text service. However, the SKILL.md frontmatter includes a required config path (~/.config/nemovideo/) while the registry metadata listed no required config paths; that mismatch is unexplained. Also the skill's source is unknown and there's no homepage or publisher information to verify the service.
Instruction Scope
The instructions require checking for NEMO_TOKEN in the environment and, if absent, automatically requesting an anonymous token from an external API and then using that token for all requests. The agent is instructed to upload user video files to the third-party backend and include specific attribution headers. Uploading potentially sensitive videos to an external service and auto-creating/using tokens are important privacy/security actions that should be explicit to the user. The SKILL.md otherwise stays within the stated feature set (session, upload, SSE, export).
Install Mechanism
No install spec or code files are present; the skill is instruction-only, which minimizes on-disk risk. All operations happen via network calls to the backend described in SKILL.md.
Credentials
Only one env var (NEMO_TOKEN) is declared and that aligns with a cloud API token use. However, SKILL.md instructs the agent to obtain an anonymous token if none is present and the frontmatter references a config path (~/.config/nemovideo/) that the registry metadata did not list as required — this inconsistency raises questions about whether tokens or credentials might be persisted to disk or other config locations. The declared credential itself is proportionate, but the persistence/handling is unclear.
Persistence & Privilege
The skill is not force-included (always:false) and does not request elevated or system-wide privileges. It does instruct the agent to keep session_id for operations, but there is no instruction to modify other skills or system configurations.
What to consider before installing
This skill appears to be a cloud-based video transcription tool and will upload any video you send to an external service (mega-api-prod.nemovideo.ai). Before using it: 1) Do not upload sensitive or confidential videos until you verify the service’s privacy, retention, and access policies. 2) Ask the publisher for a homepage, source code, or privacy/security documentation (none is provided). 3) Clarify how the NEMO_TOKEN is stored — SKILL.md mentions a config path in frontmatter that conflicts with registry metadata; find out whether tokens are persisted to ~/.config/nemovideo/ or environment variables. 4) If you must try it, use test/non-sensitive content and monitor network activity. 5) Prefer skills with a verifiable publisher and transparent code or published API docs. Providing those details (official homepage, privacy policy, and clear token storage behavior) would raise confidence and could change this assessment to benign.Like a lobster shell, security has layers — review code before you run it.
latestvk978d7xwwyzx8jvb97yr56f5h984jrpe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📝 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN