ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Subtitle Generator Free

v1.0.4

subtitle-generator-free by ClawHub lets you drop any video and walk away with accurate, timestamped subtitles — no subscriptions, no watermarks, no fuss. Upl...

0· 123·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to transcribe and align video using NemoVideo and all of its declared network endpoints, headers, and env vars map to that purpose. The only mismatch: registry metadata lists NEMO_TOKEN as a required env var, but the SKILL.md states NEMO_TOKEN is optional (auto-generated anonymous tokens are available). This inconsistency should be clarified.
Instruction Scope
Instructions are focused on the captioning workflow (session init, upload, export, credits, state). They read/write a small config file (~/.config/nemovideo/client_id) and build/attach headers (X-Skill-Source, X-Skill-Version, X-Skill-Platform). There is no instruction to read unrelated files or other credentials, but determining X-Skill-Platform may inspect the skill's install path (potentially revealing platform/host path info).
Install Mechanism
No install specification and no code files — instruction-only skill. This minimizes disk write/install risk; nothing is downloaded or executed beyond standard HTTP requests the agent will perform at runtime.
Credentials
Only Nemo-related env vars are referenced (NEMO_TOKEN, NEMO_API_URL, NEMO_WEB_URL, NEMO_CLIENT_ID). This is proportionate to the stated purpose. However, the registry marks NEMO_TOKEN as required while SKILL.md documents an anonymous auto-token flow (token optional). The skill will also persist a client_id UUID to the user's home config directory.
Persistence & Privilege
The skill writes a single non-secret UUID to ~/.config/nemovideo/client_id to avoid creating new anonymous tokens each time; this behavior is declared in metadata (configPaths) and is normal for such integrations. always:false (not force-included) and autonomous invocation remains default behavior.
What to consider before installing
Before installing: 1) Clarify whether NEMO_TOKEN must be set manually or whether the agent will use the anonymous token flow (SKILL.md vs registry disagree). 2) Understand that your video/audio and a Bearer token will be sent to mega-api-prod.nemovideo.ai — do not use this skill for content you cannot send to a third party. 3) The skill will create ~/.config/nemovideo/client_id (UUID only) and may inspect the skill file path to populate X-Skill-Platform headers (this can reveal platform/install-path info). 4) Tokens expire in 7 days; if you prefer tighter control, create and revoke tokens from nemovideo.com and avoid storing long-lived secrets in shared agents. 5) If any of the above is unacceptable or unclear, treat this as untrusted and avoid installing until the maintainers clarify the NEMO_TOKEN requirement and data handling policy.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cavjzp6f1xe1yj3c2hge32983x4a0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments