ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Subtitle Capcut

v1.0.0

Get captioned video files ready to post, without touching a single slider. Upload your video clips (MP4, MOV, AVI, WebM, up to 500MB), say something like "au...

0· 44·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (auto-generate subtitles for short videos) matches the API endpoints and upload/export flow described in SKILL.md. However the SKILL.md frontmatter declares a required config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch is unexplained and worth attention.
Instruction Scope
Instructions focus on expected actions (obtain anonymous token, create session, upload video, render/export, poll status). They instruct the agent to detect install path to set an attribution header (reads paths like ~/.clawhub/ or ~/.cursor/skills/), and to handle local file uploads (multipart file field). Reading the agent's install path and mapping local file paths is functionally relevant but does require filesystem inspection and use of user-provided file contents; this is reasonable for a video upload skill but is a privacy-sensitive operation and should be explicitly consented to by the user.
Install Mechanism
No install spec or remote downloads — instruction-only skill. No code is written to disk by the skill at install time, which lowers risk.
!
Credentials
The skill declares a single primary environment variable, NEMO_TOKEN, which is appropriate for an API-backed service. SKILL.md additionally describes automatically acquiring an anonymous token if NEMO_TOKEN is absent. However the frontmatter also lists a config path (~/.config/nemovideo/) which could give access to other stored credentials or user data; that path is not justified by the description and creates disproportionate potential access.
Persistence & Privilege
The skill does not request permanent inclusion (always:false) and does not ask to modify other skills or system-wide settings. It instructs agents to store session_id for the duration of a session, which is normal for a web API integration.
What to consider before installing
This skill appears to do what it says (upload a video, call a cloud rendering API, and return a subtitled MP4). Before installing, consider: 1) The skill needs or will create a NEMO_TOKEN (an API bearer token). If you don't provide one it will request an anonymous token on your behalf — understand that acquires short-lived credentials tied to the external nemo API. 2) The SKILL.md asks the agent to inspect install paths (to set an attribution header) and mentions a config directory (~/.config/nemovideo/) — verify you are comfortable with the skill reading those paths and that the domain (mega-api-prod.nemovideo.ai) is a service you trust. 3) Because it handles user video files, confirm you consent to uploading those files to the remote service (privacy/retention matters). 4) The repository metadata and the SKILL.md disagree about required config paths — ask the publisher to clarify why that path is needed and what it contains. If you need higher assurance, request the network/API call examples, data retention policy, or a publisher/homepage for the service before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dfk1x2y2vjzxphbg972wgyn84qygn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments