Subtitles From Video
PassAudited by ClawScan on May 3, 2026.
Overview
This skill appears purpose-aligned, but it sends uploaded media and prompts to a NemoVideo cloud API using a token, so use it only with videos you are comfortable processing remotely.
This skill is reasonable for cloud-based subtitle generation, but it is not a local-only tool. Before installing, be comfortable with sending your video or audio files, prompts, and session metadata to the NemoVideo API, and use a dedicated or limited NEMO_TOKEN if possible.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act within the NemoVideo session associated with the token and may use free credits or existing account/session access.
The skill uses or creates a bearer token for the NemoVideo service. This is expected for the cloud backend, but it gives the skill session/account authority for rendering operations.
Look for `NEMO_TOKEN` in the environment. If found, skip to session creation. Otherwise: ... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... Extract `data.token`
Use a limited or dedicated token when possible, do not paste unrelated credentials, and rotate or remove the token if you stop using the skill.
Private videos, audio, images, filenames, URLs, and editing prompts may be processed by the NemoVideo backend.
The workflow sends user media files and prompt text to an external cloud service. This is central to the skill's purpose and is disclosed, but it is a sensitive data flow.
Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"` ... Send message (SSE): POST `/run_sse` ... `new_message`
Avoid uploading confidential, regulated, or third-party-sensitive media unless you trust the provider and its data handling terms.
If the backend response is wrong or unexpected, the agent could perform unintended edits or exports within the active session.
The agent is told to treat backend responses as instructions for subsequent API actions. This supports the intended cloud-editing flow, but it means remote service output influences agent behavior.
The backend responds as if there's a visual interface. Map its instructions to API calls: ... "click" or "点击" → execute the action via the relevant endpoint ... "Export" or "导出" → run the export workflow
Check status summaries and exported results before relying on the output, especially for important or public videos.
Users have less information for verifying who maintains the skill or reviewing provider documentation before sending media to the service.
The registry metadata does not provide a source repository or homepage for independent verification. No local code or install script is present, so this is a provenance note rather than evidence of unsafe behavior.
Source: unknown; Homepage: none
Verify the service domain and provider separately before using the skill with sensitive files.