Subtitles From Video
PassAudited by VirusTotal on May 3, 2026.
Overview
Type: OpenClaw Skill Name: subtitles-from-video Version: 1.0.0 The skill is a functional integration for the NemoVideo cloud service, designed to automate video subtitling and rendering. It provides detailed instructions for the AI agent to handle authentication (including anonymous token generation), file uploads, and render job polling via the `mega-api-prod.nemovideo.ai` API. All network activities and file access requirements (such as reading video files and configuration paths) are directly aligned with the stated purpose of video processing, with no evidence of malicious intent, data exfiltration, or unauthorized execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act within the NemoVideo session associated with the token and may use free credits or existing account/session access.
The skill uses or creates a bearer token for the NemoVideo service. This is expected for the cloud backend, but it gives the skill session/account authority for rendering operations.
Look for `NEMO_TOKEN` in the environment. If found, skip to session creation. Otherwise: ... POST `https://mega-api-prod.nemovideo.ai/api/auth/anonymous-token` ... Extract `data.token`
Use a limited or dedicated token when possible, do not paste unrelated credentials, and rotate or remove the token if you stop using the skill.
Private videos, audio, images, filenames, URLs, and editing prompts may be processed by the NemoVideo backend.
The workflow sends user media files and prompt text to an external cloud service. This is central to the skill's purpose and is disclosed, but it is a sensitive data flow.
Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"` ... Send message (SSE): POST `/run_sse` ... `new_message`
Avoid uploading confidential, regulated, or third-party-sensitive media unless you trust the provider and its data handling terms.
If the backend response is wrong or unexpected, the agent could perform unintended edits or exports within the active session.
The agent is told to treat backend responses as instructions for subsequent API actions. This supports the intended cloud-editing flow, but it means remote service output influences agent behavior.
The backend responds as if there's a visual interface. Map its instructions to API calls: ... "click" or "点击" → execute the action via the relevant endpoint ... "Export" or "导出" → run the export workflow
Check status summaries and exported results before relying on the output, especially for important or public videos.
Users have less information for verifying who maintains the skill or reviewing provider documentation before sending media to the service.
The registry metadata does not provide a source repository or homepage for independent verification. No local code or install script is present, so this is a provenance note rather than evidence of unsafe behavior.
Source: unknown; Homepage: none
Verify the service domain and provider separately before using the skill with sensitive files.