ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ffmpeg Converter

v1.0.0

Tired of manually wrestling with ffmpeg command-line syntax just to convert a video or compress an audio file? The ffmpeg-converter skill takes the complexit...

0· 32·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to perform FFmpeg conversions using a cloud backend and requires a single NEMO_TOKEN credential — that is coherent. However, the SKILL.md also expects to read/write a local client_id at ~/.config/ffmpeg-converter/client_id and to detect install paths for attribution, yet the registry metadata declared no required config paths and no homepage/source repository is provided.
!
Instruction Scope
Runtime instructions direct the agent to: obtain or reuse NEMO_TOKEN, POST to an external API to get anonymous tokens, create/read a file in ~/.config, create and maintain a session_id, upload local files via multipart to the remote service, and poll exports until completion. Uploading user files and writing a client_id to the home directory are expected for a cloud-conversion skill, but these filesystem operations were not declared in metadata and the instructions will transmit user files and session state to an external endpoint (mega-api-prod.nemovideo.ai).
Install Mechanism
No install spec and no code files are present (instruction-only). This is the lowest disk-write risk — nothing is downloaded or executed locally by an installer. The runtime behavior still performs network and file I/O as documented in SKILL.md.
Credentials
Only one env var (NEMO_TOKEN) is required, which is proportional for a cloud API. The SKILL.md, however, also uses a local client_id file for anonymous tokens (not declared in requires.config) and expects the token to authorize uploads/downloads. There are no unrelated credentials requested, but a token is powerful: it likely grants API access and credit/billing operations.
Persistence & Privilege
The skill does not request always:true and uses standard session behavior. It will write a client_id at ~/.config/ffmpeg-converter/client_id and persist session_id information per the instructions; this is reasonable for convenience but is a persistent artifact in the user's home directory and was not listed in the manifest's required config paths.
What to consider before installing
Before installing, consider: (1) Source and provenance: there is no homepage or source repo — ask the publisher for a repository, privacy policy, and service SLA. (2) Data privacy: conversion is done on mega-api-prod.nemovideo.ai — any files you upload will be transmitted off-device; don't upload sensitive content unless you trust that service. (3) Token scope: NEMO_TOKEN authorizes the API and likely ties to credits/billing — treat it like a secret; prefer short-lived/anonymous tokens if available. (4) Local artifacts: the skill creates/reads ~/.config/ffmpeg-converter/client_id and stores session IDs; if you want no disk writes, do not install. (5) If you need higher assurance, request the skill's source code, documentation on token scopes and data retention, and a clear publisher identity; those would increase confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk9792kffqk7tsrwre1s77cx8an841z6f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments