ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Caption Generator Hindi

v1.0.0

Get Hindi captioned videos ready to post, without touching a single slider. Upload your video files (MP4, MOV, AVI, WebM, up to 500MB), say something like "a...

0· 21·0 current·0 all-time
by@linmillsd7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Hindi captioning) aligns with the runtime instructions (upload video, create session, render/export). The single required env var NEMO_TOKEN is appropriate for a third-party API. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) not listed in the registry's top-level 'Required config paths', a mismatch worth questioning.
Instruction Scope
Instructions stay within the service's domain (mega-api-prod.nemovideo.ai) and describe session creation, SSE, upload, export, and polling. This requires uploading user video files to the external API and streaming SSE events — expected for a cloud render workflow but privacy-sensitive. The skill also tells the agent to auto-acquire an anonymous token if NEMO_TOKEN is absent and to 'auto-detect' a platform value from the install path, which implies the agent may read environment/paths beyond just the declared token.
Install Mechanism
Instruction-only skill with no install steps or code to download — lowest install risk. Nothing is written to disk by an installer because no install spec is provided.
Credentials
Only NEMO_TOKEN is declared as required (reasonable). But SKILL.md references a config directory (~/.config/nemovideo/) and asks to use NEMO_TOKEN if present; if not present it will obtain an anonymous token from the API. The extra config path in the frontmatter wasn't recorded in the registry metadata, creating an unexplained discrepancy. Requiring a single token is proportional, but the skill will access network endpoints and potentially local paths for 'auto-detect' behavior.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent 'always' presence or system-wide configuration changes. Autonomous invocation is allowed (default) but not combined with other high-risk flags here.
What to consider before installing
This skill appears to do what it says (upload your video to nemovideo.ai, generate Hindi captions, return a downloadable MP4), but check a few things before installing: 1) Privacy: videos are uploaded to a third-party API (mega-api-prod.nemovideo.ai). Don't upload confidential content unless you trust that service. 2) Token usage: the skill will use any NEMO_TOKEN in the agent environment; if none exists it will request an anonymous token from the service. Consider using a scoped/ephemeral token rather than a global secret. 3) Config-path mismatch: the SKILL.md frontmatter mentions ~/.config/nemovideo/ (possible local config access) even though the registry metadata did not — ask the publisher why and what is read/written there. 4) Attribution headers and platform auto-detection require the agent to inspect install paths; confirm you’re comfortable with that. 5) Verify the API domain and the publisher independently if you need higher assurance. If these points are acceptable and you expect uploads to a cloud service, the skill’s behavior is plausible; if not, treat it as risky and avoid installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk971zyyqbpc6c5dpxfc8c1f1p584wzey

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments