ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Subtitle Generator Online

v1.0.4

The auto-subtitle-generator-online skill transcribes and embeds accurate subtitles into your videos using AI-powered speech recognition. Upload your footage,...

0· 83·0 current·0 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (transcribe and embed subtitles via nemovideo API) aligns with the runtime behavior: network calls to mega-api-prod.nemovideo.ai and handling tokens make sense for this service. However, the registry metadata lists NEMO_TOKEN as a required env var and claims no config paths, while the SKILL.md treats NEMO_TOKEN as optional (auto-generated anonymous token if not provided) and declares a config path (~/.config/nemovideo/). This mismatch is an incoherence to flag.
Instruction Scope
The SKILL.md instructions stay within the expected scope: they ask for a token (or obtain an anonymous one), persist a client_id UUID under ~/.config/nemovideo/, and call the service endpoints to create sessions and process video. There are no instructions to read unrelated system files or other credentials.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. The only file-write behavior is the intentional creation of ~/.config/nemovideo/client_id described in the runtime instructions.
!
Credentials
Registry metadata declares NEMO_TOKEN as a required primary credential, but SKILL.md explicitly says NEMO_TOKEN is optional and can be generated anonymously (and recommends persisting NEMO_CLIENT_ID). This inconsistency is concerning: users may be prompted to supply a secret token when the skill can operate with an anonymous token. Also, the SKILL.md references other environment variables (NEMO_API_URL, NEMO_WEB_URL, NEMO_CLIENT_ID) that are optional — that's reasonable — but the conflicting statements about which env vars are required should be clarified before trusting the skill.
Persistence & Privilege
The skill persists a client_id UUID to ~/.config/nemovideo/client_id to avoid per-IP token rate limits. This is a modest and explainable persistence. always is false (normal). There is no instruction to persist user tokens to disk, but SKILL.md does instruct saving the anonymous token as the session NEMO_TOKEN (transient). Confirm whether any tokens are ever written to disk.
What to consider before installing
This skill appears to do what it says (it calls the nemovideo API and manages a client-id file), but there are inconsistencies you should resolve before installing: the registry says NEMO_TOKEN is required while the skill itself will auto-generate an anonymous token and persist a client_id to ~/.config/nemovideo/. Questions to ask or actions to take before use: (1) Verify whether you need to supply your own NEMO_TOKEN for production or if anonymous tokens are used; (2) Confirm that only a UUID (no secrets) is written to ~/.config/nemovideo/client_id and that no tokens are persisted to disk unexpectedly; (3) Review the service's privacy/terms on nemovideo.com to ensure you are comfortable sending video/audio to their API; (4) If you prefer control, create and supply your own NEMO_TOKEN and revoke it if needed. If the publisher can clarify the metadata vs SKILL.md mismatch (required env vars and configPaths), confidence that this skill is coherent will increase.

Like a lobster shell, security has layers — review code before you run it.

latestvk972fzxrvc78d7hxr8b0v54pt983tzpm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments