ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Free Subtitle Maker

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — automatically generate and add subtitles in English — and get captioned vi...

0· 56·0 current·0 all-time
by@dsewell-583h0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is described as a remote subtitle-generation front end and legitimately needs an API token for a backend service (NEMO_TOKEN). However the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) and runtime instructions that detect install paths (~/.clawhub/, ~/.cursor/skills/) for attribution — the registry metadata shown to you listed no required config paths. This mismatch (declared none vs SKILL.md wanting config paths and path detection) is inconsistent and worth verifying.
!
Instruction Scope
Runtime instructions direct uploading user video/audio files to https://mega-api-prod.nemovideo.ai, creating/storing session tokens, streaming SSE, and detecting local install paths to set an X-Skill-Platform header. Reading install path or local config for attribution is outside the minimal scope of subtitle generation and touches user file-system information; that is scope creep and a privacy concern. The instructions also instruct the agent to obtain anonymous tokens automatically if NEMO_TOKEN is missing — this is operationally reasonable but should be transparent to users.
Install Mechanism
No install spec and no code files (instruction-only). Lowest-risk in terms of code being written to disk. There is no external download or package install in the spec.
Credentials
Only one environment variable (NEMO_TOKEN) is required, which is proportional for an API-based service. However SKILL.md references local config paths and install-path detection that would let the skill read user-specific filesystem locations; that access is not justified by the stated need for a single API token and should be clarified.
Persistence & Privilege
always:false and the skill does not request permanent system-wide privileges. It asks to store a session_id for the service (expected for API interactions) but does not request modification of other skills or global agent settings.
What to consider before installing
This skill mostly behaves like a normal API-driven subtitle generator, but verify a few things before enabling it: (1) Confirm you trust the backend domain (mega-api-prod.nemovideo.ai) and its privacy policy — your videos will be uploaded there. (2) Ask the publisher why the skill needs to detect install paths or read ~/.config/nemovideo/ (this leaks which client you use and some local path data). (3) Prefer setting a limited/replaceable API token (NEMO_TOKEN) and avoid using long-lived or broadly privileged credentials. (4) If you have sensitive video content, do not upload it until you confirm where and how files and tokens are stored and who can access them. (5) If anything about the headers, anonymous-token flow, or file retention is unclear, request clarification from the skill author — the metadata mismatch (registry vs SKILL.md) should be resolved before trusting the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e4j1343jpyaadey92ky672184qevf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments