ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Subtitle Maker

v1.0.0

You recorded a podcast episode. Your audience is global. The first viewer in Tokyo needs Japanese subtitles, the second in São Paulo needs Portuguese, the th...

0· 44·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to transcribe, translate, time, and export subtitles — requiring an API token for an external subtitle service (NEMO_TOKEN) and a nemovideo config directory (~/.config/nemovideo/) is consistent with that purpose.
Instruction Scope
This is an instruction-only skill (no code). The provided SKILL.md describes uploading media to a service and receiving subtitle files, which is within scope. However the supplied SKILL.md was truncated in the review bundle; without the full runtime instructions we cannot confirm there are no steps that read or exfiltrate unrelated local files or secrets. The presence of a configured config path suggests the agent may read files from the user's home directory.
Install Mechanism
No install spec and no code files — lowest-risk delivery model (instruction-only). Nothing will be written to disk by an installer as part of skill installation.
!
Credentials
The skill declares a primary credential NEMO_TOKEN (reasonable for a third-party subtitle API) and a config path (~/.config/nemovideo/) — also reasonable. However, metadata lists requires.env as an empty array while primaryEnv is set to NEMO_TOKEN; this inconsistency is sloppy and could indicate the SKILL.md or metadata doesn't fully describe which environment variables will be accessed at runtime. Reading a user config directory inside the home folder may expose other credentials or data if the agent is permitted to access it.
Persistence & Privilege
always is false and the skill is not requesting any elevated or permanent platform presence. The skill does not declare any ability to modify other skills or system-wide settings.
What to consider before installing
Before installing, ask the publisher to confirm these points: (1) exactly which environment variables the skill will read at runtime — NEMO_TOKEN should be explicitly listed in requires.env; (2) what files under ~/.config/nemovideo/ will be accessed and why (avoid broad home-directory reads); (3) which remote endpoints the skill uploads media to (provide hostnames and privacy policy), and whether uploaded media or transcripts are stored, retained, or used to train models; (4) the minimum permission/scope required for NEMO_TOKEN and whether you can create a token limited to subtitle operations only. If the publisher cannot clearly answer these, do not install or supply credentials. Because the SKILL.md provided here was truncated, request the complete runtime instructions and review them for any steps that read unrelated paths, environment variables, or that post data to unexpected endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk974z6pmz9019gx4y0rt76c3kn83wsf7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗣️ Clawdis
Primary envNEMO_TOKEN

Comments