Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Caption Generator Ai Ab Old
v1.0.0Tired of spending hours transcribing dialogue and manually syncing captions to your videos? The video-caption-generator-ai skill automatically detects speech...
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, required env var (NEMO_TOKEN), and config path (~/.config/nemovideo/) align with a cloud captioning service; required capabilities (session creation, uploads, credits) are expected for this purpose.
Instruction Scope
The SKILL.md instructs the agent to generate and persist a client_id at ~/.config/nemovideo/client_id (declared in metadata) and to request an anonymous token if NEMO_TOKEN is absent. However it also directs the agent to generate a workspace claim link that places the token in a query parameter (https://nemovideo.com/workspace/claim?token=$TOKEN...), which risks leaking the token via browser history, referer headers, or logs. The doc also says 'Don't display raw API responses or token values to the user'—contradictory with embedding the token in a user-facing link.
Install Mechanism
Instruction-only skill (no install spec, no code files) — minimal install risk; nothing is downloaded or written beyond the explicit config path mentioned in metadata.
Credentials
Only NEMO_TOKEN is declared as required, which is appropriate. The skill also instructs obtaining an anonymous token from the service if no token is present; that behavior is reasonable but increases the agent's ability to create credentials on your behalf. Storing or sending this token in a URL is not justified by the purpose and increases disclosure risk.
Persistence & Privilege
always is false. The skill asks to write a local client_id under ~/.config/nemovideo/ (declared in metadata) and to keep a session_id for requests — limited, scoped persistence and privileges confined to its own config path.
What to consider before installing
This skill appears to do what it says (cloud captioning) and only requires a service token, but there are two things to consider before installing:
- Token handling: the instructions tell the agent to obtain (if absent) and use an anonymous NEMO_TOKEN, then generate a workspace link that includes the token in a URL. Tokens in URLs can be leaked via browser history, referer headers, or logs. If you install this skill, prefer to (a) supply your own token in NEMO_TOKEN rather than letting the agent fetch one, and (b) ask the skill author to avoid placing tokens in query strings — use short-lived server-side claim flows instead.
- Visibility & storage: the skill will write a client_id to ~/.config/nemovideo/ and store session identifiers. Confirm you are comfortable with creating these files and that they do not collide with other tools. Also verify the service domain (nemovideo.com / mega-api-prod.nemovideo.ai) and the repository URL before trusting it with sensitive videos or credentials.
If you need higher assurance, request the skill be updated to: avoid embedding tokens in URLs, clearly document where tokens/sessions are stored, and require explicit user consent before generating or persisting credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk9767kga22dr3j34p9jp0se90x83xdb6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN