ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Video To Text Converter

v1.0.0

Cloud-based free-video-to-text-converter tool that handles transcribing spoken video content into readable text or subtitles. Upload MP4, MOV, AVI, WebM file...

0· 4·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill’s name/description (video→text transcription) aligns with its runtime instructions (upload video, create session, render/export). Requiring a single NEMO_TOKEN is coherent. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that is not reflected in the registry metadata provided, and the skill’s source/homepage are missing — that mismatch and lack of provenance is noteworthy.
!
Instruction Scope
Instructions explicitly perform network requests to an external API (mega-api-prod.nemovideo.ai), upload user media, create sessions, poll SSE streams, and can acquire anonymous tokens on behalf of the user. They also require auto-detecting platform/install path for an attribution header — which implies the agent may need filesystem context. These runtime behaviours are within a transcribe/export skill’s scope, but they do involve transmitting potentially sensitive user files to an external, undocumented service.
Install Mechanism
Instruction-only skill with no install spec or code to download; nothing is written to disk by an installer. Low installation risk, but runtime network/file operations remain.
Credentials
The only declared credential is NEMO_TOKEN (primaryEnv), which is appropriate for an API-backed service. The SKILL.md will also generate/obtain an anonymous token if none is present. Be aware that any token grants the service access to upload/download jobs and potentially user data. The mismatch between SKILL.md frontmatter configPaths and the registry metadata is an inconsistency to clarify.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does not declare writing to other skills' configs. There is no explicit instruction to persist credentials locally, though the instructions use environment tokens at runtime.
What to consider before installing
This skill will upload user videos to an external endpoint (mega-api-prod.nemovideo.ai) and use a NEMO_TOKEN (or an anonymous token it fetches) to run transcriptions — that is expected for a cloud transcription tool, but it means your media and audio are sent to an external service with no homepage or provenance listed. Before installing: (1) confirm the service owner and privacy policy; (2) do not provide production or sensitive credentials as NEMO_TOKEN; prefer anonymous tokens and avoid uploading confidential videos; (3) ask why the SKILL.md frontmatter references ~/.config/nemovideo/ when registry metadata does not — clarify whether the agent will read that path; (4) if privacy is a concern, consider local/offline transcription alternatives. If you cannot verify the service operator or privacy terms, treat this skill as higher risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk977shemdyjvtfefzmgyq664kh84jx12

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments