Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Caption Generator Free Ab2n 0330
v1.0.0Tell me what you need and I'll generate accurate captions for your video — no subscriptions, no hidden fees. This video-caption-generator-free skill automati...
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description map to a cloud video-transcription service and the skill only requests a single API credential (NEMO_TOKEN) and a per-skill config path — that is consistent. One mismatch: the SKILL.md implements an anonymous-token flow (POST /api/auth/anonymous-token) so a NEMO_TOKEN can be created automatically; declaring NEMO_TOKEN as 'required' is therefore slightly misleading (it is the primary credential but can be obtained automatically).
Instruction Scope
Runtime instructions ask the agent to read/write ~/.config/nemovideo/client_id and store session_id (expected), but also instruct detection of install paths (e.g., ~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform — probing other home-directory paths is outside the skill's core captioning function and introduces additional filesystem access. The instructions also build a workspace 'claim' link that includes the token as a URL query parameter (token in query string), which risks leaking credentials if the link is logged or shared. The SKILL.md explicitly tells the agent not to display raw tokens, which reduces risk but does not eliminate the token-in-URL exposure.
Install Mechanism
Instruction-only skill with no install spec or downloaded binaries; nothing is written by an installer and no third-party packages are pulled. This is the lower-risk class of skill installs.
Credentials
Only one credential (NEMO_TOKEN) is declared as required/primary, which is proportionate for a hosted transcription service. Caveat: the skill can create and use an anonymous token itself, so the declared requirement may not be strictly necessary. The skill will also write a local client_id file under ~/.config/nemovideo/ (declared in metadata) — that is reasonable for rate-limiting, but it needs filesystem access to the user's home directory.
Persistence & Privilege
always:false and no install spec — the skill does not request persistent, platform-wide privileges. It does persist a client UUID and session_id under ~/.config/nemovideo/, which is appropriate for session tracking and rate-limiting and is limited in scope.
What to consider before installing
This skill appears to be a cloud-based captioning client that will send videos and use an API token (NEMO_TOKEN). Before installing: (1) Confirm you trust https://nemovideo.com and their privacy/terms because your uploaded videos and any generated tokens will be sent to their backend. (2) Be cautious: the skill creates a workspace claim link that embeds the token in the URL — sharing or logging that link can expose your token. Prefer using a disposable or anonymous token for sensitive content. (3) Note the skill will create ~/.config/nemovideo/client_id and store session IDs locally and will probe common install paths to set attribution headers; if you don’t want it to inspect your home directory, don’t install. (4) If you must process confidential video, consider an on-device or vetted enterprise solution rather than a third-party cloud API. If you want reduced risk, ask the publisher for: explicit token-handling guarantees (no tokens in URLs), privacy/data-retention policy, and a way to opt-out of install-path probing.Like a lobster shell, security has layers — review code before you run it.
latestvk974gcbm8ewy9h402jpe7k5b9n83xvpk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN