ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Subtitle Video Online

v1.0.0

Turn a 3-minute tutorial video in MP4 into 1080p captioned video files just by typing what you need. Whether it's adding subtitles to videos online without s...

0· 58·0 current·0 all-time
by@linmillsd7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match the actions in SKILL.md: it uploads videos, requests subtitles, and exports rendered MP4s from a remote service. The declared primary env var (NEMO_TOKEN) is appropriate for that purpose. However, registry metadata says no required config paths while the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) — that mismatch is unexpected and should be clarified.
!
Instruction Scope
Instructions will upload user video files and interact with an external API (mega-api-prod.nemovideo.ai). The skill instructs the agent to generate an anonymous token if NEMO_TOKEN is not present and to 'store' the token and session_id for subsequent requests; it is unclear where/how tokens or session state should be persisted (environment, agent memory, or disk). The SKILL.md also requires reading/writing a config path in frontmatter — reading or writing user config files is scope creep for a simple subtitle helper and is not documented in the registry metadata.
Install Mechanism
This is instruction-only with no install spec or code files, so nothing is written to disk by an installer. That minimizes install-time risk but also means there is no code to audit beyond the instructions.
Credentials
Only a single credential (NEMO_TOKEN) is declared, which is proportionate to a third‑party API client. But SKILL.md describes obtaining an anonymous token automatically and storing it, and frontmatter mentions a config path — these behaviors imply the skill may read/write credentials or config in the user's environment without explicit consent. Also the service will receive full video files, so the privacy implications are material.
Persistence & Privilege
The skill is not always-enabled and doesn't request elevated platform privileges. However, it instructs the agent to persist the anonymous token and session_id and references a per-user config directory (~/.config/nemovideo/) — that implies persistent storage of credentials/state which should be documented and consented to. Autonomous invocation is allowed (platform default) which increases the impact if persistence is misused.
What to consider before installing
This skill will upload your videos to a third‑party service and either use an existing NEMO_TOKEN or create and store an anonymous token for you. Before installing: 1) Confirm the service domain (mega-api-prod.nemovideo.ai) and owner — there's no homepage or source link in the registry. 2) Decide whether you want your videos sent to an external service (don't upload sensitive content). 3) Ask the developer where tokens/session state are stored (env var vs disk) and whether the config path (~/.config/nemovideo/) will be read/written. 4) Prefer supplying your own service token rather than allowing automatic anonymous token creation if you need control over retention/consent. 5) If you proceed, monitor what the skill stores (agent state or config files) and revoke any anonymous token/credits when done.

Like a lobster shell, security has layers — review code before you run it.

latestvk974ph8gk8168zx00xhv6wm25d84mz9n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments