Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video To Text Converter Free
v1.0.0convert video files into transcribed text files with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. students, journalists, content creators us...
⭐ 0· 20·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (transcribe video to text via a remote service) aligns with the API calls in SKILL.md and the single credential (NEMO_TOKEN). However the metadata/instructions conflict with the registry manifest: requires.env lists NEMO_TOKEN as required, yet SKILL.md describes automatically obtaining an anonymous token if NEMO_TOKEN is not set. The frontmatter also lists a config path (~/.config/nemovideo/) while the registry summary showed none — this mismatch is an incoherence to resolve.
Instruction Scope
Instructions direct network calls to https://mega-api-prod.nemovideo.ai for auth, uploads, SSE, and rendering (expected). They also instruct deriving headers from the skill's YAML frontmatter and detecting the install path (~/.clawhub/, ~/.cursor/skills/) — which requires inspecting the agent's filesystem/environment. SKILL.md further says to 'store' the token and session_id but gives no safe storage mechanism. These file-system reads and the unspecified token storage are broader scope than a purely stateless API client and are not fully justified or explained.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is downloaded or written at install time. That minimizes installation risk.
Credentials
Only one credential (NEMO_TOKEN) is declared, which is appropriate for a third‑party API. But SKILL.md will generate an anonymous token if NEMO_TOKEN is absent, making the explicit 'required' label misleading. The frontmatter also references a config path (~/.config/nemovideo/) and instructs detecting install paths for header values — both imply the skill may read local files/configs beyond what a simple uploader needs. Uploading user videos to a third-party service is expected but may expose sensitive data; the skill provides no privacy/retention details.
Persistence & Privilege
The skill does not request always:true and can be invoked by the user. It instructs storing NEMO_TOKEN and session_id for subsequent requests, which is normal for session-based APIs, but where/how to persist these (and for how long) is unspecified and thus worth clarifying.
What to consider before installing
Before installing or using this skill: (1) confirm the service domain (mega-api-prod.nemovideo.ai) is trustworthy and read its privacy/retention policy — uploading video sends potentially sensitive data off your machine; (2) ask the skill author to fix metadata inconsistencies (the registry says NEMO_TOKEN is required, but SKILL.md can auto-generate an anonymous token; frontmatter lists a configPath but registry shows none); (3) ask where and how NEMO_TOKEN and session_id will be stored (encrypted on disk, ephemeral in memory, retention time); (4) if you have sensitive videos, avoid using automatic anonymous token generation or sending files until you verify the backend; (5) consider requiring the developer to remove unnecessary filesystem checks (install-path detection, reading ~/.config/nemovideo/) or to explicitly justify them; and (6) if you proceed, monitor network traffic for unexpected endpoints and prefer one-off tokens rather than long-lived credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk9722xhv9jr1ejqmcyq2vfaxb184mpf6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📝 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN