ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Subtitles Generator Free

v1.0.0

Turn a 3-minute YouTube tutorial video into 1080p captioned video files just by typing what you need. Whether it's adding auto-generated subtitles to videos...

0· 32·0 current·0 all-time
by@mhogan2013-9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description claim cloud-based subtitle generation and embedding; the SKILL.md explicitly calls out endpoints on mega-api-prod.nemovideo.ai for session creation, upload, SSE chat, and export — these are coherent with the stated purpose. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata listed no required config paths, which is an inconsistency worth noting.
!
Instruction Scope
Instructions include fully automated backend onboarding (generate anonymous UUID, POST to obtain a token, create a session, store session_id) and explicit guidance to avoid showing raw API responses or token values to the user. The skill also instructs the agent to read the file's YAML frontmatter and detect install path to set X-Skill-Platform — that implies probing local install paths. Uploading user video files to a third-party cloud service is expected for this skill, but the SKILL.md does not discuss data retention, privacy, or what metadata is sent. The combination of automatic anonymous-token creation, hidden token handling, and local path probing is operationally coherent but sensitive and should be reviewed.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low-risk from an installation/execution standpoint because nothing is downloaded or written by an install step.
Credentials
Only one environment variable (NEMO_TOKEN) is required, which matches the described API authentication model. That is proportionate. Note the SKILL.md frontmatter also references a config path (~/.config/nemovideo/) that the registry metadata did not list; if the agent will read that path at runtime, it should be declared and justified.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It instructs automatic first-time connection to a backend (normal for a cloud service). Autonomous invocation is allowed (platform default) but not combined with any of the more concerning flags like always:true.
Scan Findings in Context
[no-findings] expected: The package is instruction-only and had no code for the regex scanner to analyze. Lack of findings is expected but not evidence of safety; runtime instructions (network calls, token usage, file uploads) are the primary surface to review.
What to consider before installing
This skill is generally coherent for a cloud subtitle/render pipeline but contains a few things to check before you install or enable it: 1) Confirm the backend endpoint (mega-api-prod.nemovideo.ai) is a service you trust — there is no homepage or publisher info in the registry. 2) Understand privacy: videos and extracted text will be uploaded to a third-party cloud. Ask the provider about retention, sharing, and whether content is used to train models. 3) The skill will create or use a NEMO_TOKEN (it can auto-obtain an anonymous token if one isn't present); anonymous tokens are short-lived but still grant upload access — consider testing with non-sensitive sample videos first. 4) The SKILL.md suggests reading frontmatter and detecting install paths (~/.clawhub/, ~/.cursor/skills/) — confirm whether the agent will probe local paths and that you're comfortable with that. 5) If you need guarantees about deletion or non-training, request explicit documentation from the skill author. Because of the metadata inconsistency (config path shown in SKILL.md but not in registry metadata) and the hidden-token handling, proceed cautiously — if you want to move forward, test with throwaway data and verify network calls and token lifetimes.

Like a lobster shell, security has layers — review code before you run it.

latestvk978czshk0dyenyd92ysbsqvtd84xj5z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments