ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Easy Subtitles

v1.0.0

YouTubers and content creators add video files into captioned videos using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on cloud GPUs at 1080...

0· 14·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill declares a single credential (NEMO_TOKEN) which matches the backend API usage for uploads and rendering. However the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch is unexplained and could indicate the skill expects to read/write a local config directory beyond what's declared.
Instruction Scope
Runtime instructions are narrowly focused on session creation, uploading video files, SSE streaming, and export requests to the listed nemovideo.ai endpoints. They instruct the agent to generate and store session_id and tokens and to use a generated anonymous token when NEMO_TOKEN is not present. A possibly surprising instruction: auto-detection of X-Skill-Platform by inspecting an 'install path' (agent install path) — that may require reading environment/paths outside purely handling user-supplied video files.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — nothing is downloaded or written by an installer. That lowers install-time risk.
Credentials
Only one credential is required (NEMO_TOKEN), which is proportional to the declared purpose. The SKILL.md also instructs generating an anonymous token via an API if NEMO_TOKEN is absent (acceptable). Still, the skill asks for persistence (implied by frontmatter configPaths) which could lead to tokens being written to ~/.config/nemovideo/ — users should confirm where tokens/session IDs are stored.
!
Persistence & Privilege
Although always:false (normal), the skill's frontmatter references a config path (~/.config/nemovideo/) suggesting it may persist session/token state to disk. The registry listing did not declare that path, creating an inconsistency. Persisting auth tokens or session IDs without clear user-visible storage/location is a risk and should be confirmed.
What to consider before installing
This skill largely does what it says (upload, create a session, request rendering from nemovideo.ai) and requests only one credential (NEMO_TOKEN), but there are a few things to check before installing: 1) Verify the backend domain (mega-api-prod.nemovideo.ai) is the legitimate service you expect and matches any vendor pages or docs. 2) Clarify where session tokens and NEMO_TOKEN are stored — the SKILL.md frontmatter mentions ~/.config/nemovideo/, but the registry metadata did not; avoid giving long-lived personal or org credentials — prefer using the anonymous token flow if possible. 3) Be aware the skill asks the agent to 'auto-detect' platform from an install path (this may cause the agent to read environment/install paths); ask the author to document exactly what is read/written. 4) Do not upload sensitive videos unless you trust the service and have reviewed its privacy/retention policy. If you need higher assurance, request the skill author to: explicitly list config paths in registry metadata, confirm token storage behavior, and provide a published homepage or owner contact for verification.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c604xby5kaetr5zh4yh70sn84ks3g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments