ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Subtitle Generator Free Ab2n 0330

v1.0.0

Drop a video and watch captions appear automatically — no subscriptions, no watermarks, no hassle. The auto-subtitle-generator-free skill transcribes spoken...

0· 52·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required env var (NEMO_TOKEN), and declared config path (~/.config/nemovideo/) align with a client that talks to the NemoVideo API to upload videos and request transcription.
!
Instruction Scope
Runtime instructions tell the agent to read/create ~/.config/nemovideo/client_id, obtain or use NEMO_TOKEN, create sessions, upload videos, and return a claim URL that includes the token as a query parameter. The link-with-token behavior contradicts the 'Don't print tokens' admonition and risks token exposure (logs, browser history, referrers). Instructions otherwise stay within the expected domain (API calls and uploads) and do not request unrelated system data.
Install Mechanism
Instruction-only skill with no install steps or external archives. Nothing will be downloaded or executed by an installer.
Credentials
Only one credential is required (NEMO_TOKEN) and that is appropriate for an API client. However, the instructions write/read a client_id file under the user's home config and create session tokens; they also explicitly construct a URL containing the token which risks leaking that credential to third parties or logs.
Persistence & Privilege
always:false (no forced permanence). The skill will read/write files under ~/.config/nemovideo/, creating a client_id and storing session state — reasonable for a client but it does create persistent data in the user's home directory.
What to consider before installing
This skill appears to do what it says — upload videos to NemoVideo and get captions — but it will read/write ~/.config/nemovideo/client_id and use an NEMO_TOKEN. The instructions instruct the agent to construct a claim link that includes the token in the URL (token=<TOKEN>), which can leak the token via logs, browser history, or referrers. Before installing: (1) confirm you trust https://nemovideo.com and the skill source, (2) avoid providing any production or overly-privileged tokens — prefer ephemeral tokens you can revoke, (3) be aware the skill will write a client_id file in your home config, and (4) ask the maintainer to remove token-in-URL behavior or switch to returning a safer claim mechanism (server-side exchange or one-time code). If you need higher assurance, request a code review or test with a disposable account/token first.

Like a lobster shell, security has layers — review code before you run it.

latestvk970ej7dk0wfnrjw4pxchah3n983xp3e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments