ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Transcription Free

v1.0.0

students, content creators, podcasters convert video files into captioned text videos using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on c...

0· 84·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description align with the actions described (upload video, transcribe, render MP4). Requiring a single API token (NEMO_TOKEN) is reasonable. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths—this mismatch and the missing homepage/unknown source reduce trust in provenance.
!
Instruction Scope
Runtime instructions direct the agent to perform network calls to https://mega-api-prod.nemovideo.ai, upload local files (multipart -F "files=@/path"), generate anonymous tokens, and 'detect' install-paths to set an X-Skill-Platform header (reading ~/.clawhub, ~/.cursor/skills/ etc.). Detecting install paths or reading a config directory implies the skill may probe the user's filesystem; that is broader in scope than mere file upload/transcription and could expose sensitive data if performed indiscriminately.
Install Mechanism
This is an instruction-only skill with no install spec or code files; nothing will be written to disk by an installer. That lowers installation risk.
Credentials
Only NEMO_TOKEN is declared as required, which is appropriate for a remote API. But the SKILL.md also documents an anonymous-token flow (so an env var may be optional) and its frontmatter references a config path that could contain other credentials. The presence of an undeclared config path in the skill content is disproportionate unless the skill actually needs to read prior configuration—this should be clarified.
Persistence & Privilege
always:false and default agent-invocation behavior are normal. The skill instructs saving a session_id returned by the API; that is typical for session-based services. There is no request for persistent local installation or modification of other skills.
What to consider before installing
This skill generally does what it says (upload video to a remote API and return a rendered MP4), but exercise caution: the package has no homepage or identifiable owner, and the instructions ask the agent to probe install/config paths (e.g., ~/.config/nemovideo/, ~/.clawhub/) which could access unrelated files. Before installing or using it: 1) verify the API domain and service reputation (mega-api-prod.nemovideo.ai) and ask the publisher for a homepage or documentation; 2) avoid uploading sensitive videos or including system credentials; 3) decline filesystem probing—ask the skill to only use explicit file paths you provide; and 4) prefer using an account-bound API token you control rather than allowing anonymous-token generation. If you need higher assurance, request the skill author to remove the install-path/config probing and to publish source or official docs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c95jsdpkv8tny6p0zrc5xen84je0r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎙️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments