ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Video Caption Generator

v1.0.2

The ai-video-caption-generator skill brings accurate, AI-powered captioning to your video workflow through a simple conversational interface. Transcribe spee...

0· 68·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to provide AI captioning via the NemoVideo API and only requires an API token (NEMO_TOKEN) and a small client_id file for rate tracking. Required env vars, API domain, and config path (~/.config/nemovideo/) match the stated cloud-captioning purpose and are proportionate.
Instruction Scope
SKILL.md instructs the agent to obtain an anonymous token if NEMO_TOKEN is not present, read/write ~/.config/nemovideo/client_id, call the published NemoVideo API endpoints (token acquisition and session creation), and operate on user-supplied video files. Those actions are within scope for a captioning skill, but they imply uploading user video and metadata to the external service — a privacy consideration the user should understand before proceeding.
Install Mechanism
No install spec or code is present (instruction-only), so nothing is downloaded or written at install time beyond the runtime creation of a small config file. This is the lowest install risk.
Credentials
Only NEMO_TOKEN is declared required (primary credential). The SKILL.md also documents optional env vars (NEMO_API_URL, NEMO_WEB_URL, NEMO_CLIENT_ID) and uses a generated client_id for rate-limiting. These are reasonable and proportionate for a cloud API integration; there are no unrelated secrets requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and only persists a non-secret UUID to ~/.config/nemovideo/client_id. It may store an anonymous token for the session, which the spec says expires in 7 days. This level of persistence is expected for this functionality.
Assessment
This skill appears to do what it says: it uses NemoVideo's cloud API to transcribe and style captions. Before installing, consider that: (1) using the skill will upload your video files to an external service (Nemovideo) — do not send sensitive/private videos unless you trust their policy; (2) the skill will create ~/.config/nemovideo/client_id (a UUID) and may acquire a temporary anonymous token (NEMO_TOKEN) valid ~7 days — you can revoke tokens via nemovideo.com; (3) if you have a NemoVideo account, provide your own NEMO_TOKEN instead of relying on anonymous tokens for better control; and (4) review NemoVideo's privacy/terms and the SKILL.md text if you need guarantees about retention or data handling. If you'd like, I can scan the remaining parts of SKILL.md for any additional actions (uploads, analytics, or unexpected endpoints) before you install.

Like a lobster shell, security has layers — review code before you run it.

latestvk979rqyh027jxrkdvgmhamxeqd83t8zt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments