ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Caption Generator Free Ab New

v1.0.0

Tired of manually transcribing dialogue or paying for expensive captioning services? The video-caption-generator-free skill automatically detects speech in y...

0· 41·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (video captioning) align with the only declared secret (NEMO_TOKEN), the listed API domain, and the upload/render endpoints described in SKILL.md. Asking for a token and a local client_id file under ~/.config/nemovideo/ is consistent with a cloud transcription service.
!
Instruction Scope
The SKILL.md tells the agent to read/create ~/.config/nemovideo/client_id and to obtain/store an anonymous token, create sessions, upload videos, and include attribution headers. Two problematic items: (1) it instructs building a workspace claim URL that embeds the raw token as a query parameter (https://nemovideo.com/workspace/claim?token=$TOKEN&...), which can leak the token via URL sharing, browser history, or referrers; (2) it asks the agent to detect install path by checking filesystem locations (e.g., ~/.clawhub/, ~/.cursor/skills/) which requires reading the user's home paths. Both behaviors expand the skill's runtime data access beyond simple API calls and should be reviewed.
Install Mechanism
No install spec and no code files — this is instruction-only, so nothing is downloaded or written by an installer beyond what the skill's runtime instructions tell the agent to do (e.g., creating ~/.config/nemovideo/client_id). Instruction-only reduces installation risk.
Credentials
Only NEMO_TOKEN is required and metadata declares ~/.config/nemovideo/ as a config path, which is proportionate to a cloud captioning service. However, the instructions both advise not printing tokens but then instruct constructing a URL that includes the token, creating a potential token-exfiltration vector. Confirm the token's scope/expiration and whether it can be revoked.
Persistence & Privilege
The skill does not request always:true or system-wide privileges. Its only persistent action is reading/writing a client_id under ~/.config/nemovideo/, which is plausible for anonymous-client behavior. It does not ask to modify other skills or global agent settings.
What to consider before installing
This skill appears to be a legitimate cloud captioning client, but review these before installing: (1) ask the provider how NEMO_TOKEN is scoped and revoked — prefer short-lived, low-privilege tokens; (2) confirm you are comfortable the skill will create/read ~/.config/nemovideo/client_id; (3) be cautious about the workspace claim URL that embeds your token — avoid sharing that link and ask the provider to use a safer claim mechanism (one-time code rather than raw token in query); (4) verify the API domain (mega-api-prod.nemovideo.ai) and homepage ownership; (5) if you need stronger guarantees, request that the skill use a redirect-based claim flow or that the agent never places tokens into user-visible URLs. If you cannot verify token scope or the provider's privacy policy, treat the token as sensitive and consider creating an account/token just for this test that can be easily revoked.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d0ae6t5hvar1b7azrv7gj0s83xs9d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments