Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Subtitle Generator Extension
v1.0.0Get captioned videos ready to post, without touching a single slider. Upload your video files (MP4, MOV, AVI, WebM, up to 500MB), say something like "add sub...
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (subtitle generation + export) aligns with the API calls and upload/export flow in SKILL.md. Asking for a NEMO_TOKEN as the primary credential is expected for a cloud service. However, the frontmatter in SKILL.md also lists a configPaths requirement (~/.config/nemovideo/) even though the registry metadata shows no required config paths — this is an inconsistency. The skill also instructs the agent to inspect the agent's install path (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform; detecting install paths is unrelated to subtitle generation and looks unnecessary.
Instruction Scope
The runtime instructions are mostly scoped to creating a session, uploading video files, streaming SSE events, polling render status, and returning a download URL — all expected. The instructions also tell the agent to generate an anonymous NEMO_TOKEN if none is present (via POST to mega-api-prod.nemovideo.ai), to derive headers from the SKILL.md frontmatter, and to detect install paths on the host. Reading SKILL.md content to build headers is reasonable; probing the user's filesystem to detect install paths is out-of-scope for subtitle generation and broadens what the agent must access.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low-risk from an install perspective because nothing is downloaded or written by an installer.
Credentials
Only one declared env var (NEMO_TOKEN) which is proportional for a cloud API. But SKILL.md describes auto-creating an anonymous token if NEMO_TOKEN is missing, so requiring NEMO_TOKEN in metadata is slightly misleading (the skill can operate without a pre-provided token). The frontmatter's configPaths entry (~/.config/nemovideo/) in SKILL.md is not reflected in the top-level registry info — this suggests the skill expects to access a user config path it didn't declare.
Persistence & Privilege
always:false and normal model invocation settings. The skill does not request persistent presence or system-wide modification in the provided instructions.
What to consider before installing
This skill appears to do what it says (upload your video to the vendor and return a subtitled MP4), but check a few things before installing or using it: 1) It will upload your videos to https://mega-api-prod.nemovideo.ai — don't send sensitive footage without confirming the service provider and privacy policy. 2) The skill declares NEMO_TOKEN but can also auto-generate an anonymous token; decide whether you want to supply your own token or let it create one. 3) SKILL.md references reading or probing local paths (e.g., ~/.config/nemovideo/ and install paths like ~/.clawhub/) to build headers — ask the developer why those filesystem reads are needed or disallowed if you prefer tighter privacy. 4) There are small inconsistencies in the metadata (declared config paths vs registry fields and supported formats vs initial size/type limits); ask the publisher for a homepage, documentation, and clarification before trusting it with production or sensitive content.Like a lobster shell, security has layers — review code before you run it.
latestvk979bfm95qxcyffwxgp1y8mcx984pqf7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN