ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Subtitle Video

v1.0.1

Add subtitles to any video automatically — just upload and NemoVideo transcribes, times, styles, and burns captions directly into your footage. No manual typ...

0· 102·1 current·1 all-time
by@nemovideonemo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (auto subtitle video) match the runtime instructions which call a NemoVideo API endpoint. Requesting a single NEMO_TOKEN credential is appropriate for a third‑party captioning API. However, there are metadata mismatches: registry metadata lists version 1.0.1 while SKILL.md shows 1.1.1, and the registry summary said no required config paths while SKILL.md metadata includes ~/.config/nemovideo/ — these inconsistencies should be reconciled.
Instruction Scope
SKILL.md provides concrete instructions that upload or reference a video and POST JSON to https://mega-api-prod.nemovideo.ai/api/v1/generate using Authorization: Bearer $NEMO_TOKEN. The instructions do not tell the agent to read arbitrary system files, other credentials, or exfiltrate unrelated data. They stay within the subtitle/processing scope.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — minimal install risk because nothing is written or executed locally by the skill itself.
Credentials
The skill requires a single primary credential (NEMO_TOKEN), which is proportionate to calling a hosted NemoVideo API. That said, the registry summary earlier listed 'Required env vars: none' while declaring a primary credential elsewhere — a small inconsistency. Also SKILL.md references a config path (~/.config/nemovideo/) which could store tokens locally; confirm what the token grants and whether it can be scoped/rotated.
Persistence & Privilege
always is false and the skill does not request persistent or system-wide privileges. There is no evidence it modifies other skills or agent settings. The only persistence hint is the config path in SKILL.md metadata (user-level), which is plausible but should be verified.
What to consider before installing
Before installing: (1) Confirm you trust NemoVideo — installing gives the skill access to a NEMO_TOKEN bearer token that will be sent to https://mega-api-prod.nemovideo.ai and used to upload/process your videos. (2) Verify the GitHub repo/homepage and the developer identity if possible (the SKILL.md and registry metadata show small mismatches in version and config-path declarations). (3) Consider creating a limited-scope or revokable API token for this skill rather than using high-privilege credentials. (4) Review NemoVideo's privacy/data-retention policy — do they store or keep copies of uploaded videos, and for how long? (5) If you need stronger guarantees, ask the publisher to clarify the config path usage (~/.config/nemovideo/) and update the registry metadata so version and required-credentials are consistent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aa2ch5ymn1bv4jz2c289h4183tz90

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔤 Clawdis
Primary envNEMO_TOKEN

Comments