ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Easy Subtitle Generator

v1.0.0

Cloud-based easy-subtitle-generator tool that handles adding subtitles to YouTube videos. Upload MP4, MOV, AVI, WebM files (up to 500MB), describe what you n...

0· 14·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to be a cloud subtitle renderer and all runtime instructions target a remote service (mega-api-prod.nemovideo.ai) and require a NEMO_TOKEN — this is coherent. However, the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths, which is an inconsistency worth noting.
Instruction Scope
Instructions are explicit about creating sessions, uploading video files (up to 500MB), handling SSE, and including attribution headers. They instruct the agent to POST files and metadata to the remote API and to read local install paths (to detect X-Skill-Platform). This stays within the subtitle/rendering purpose but does require uploading user media and reading local install paths and the skill's frontmatter — review this if you have privacy or environment-read concerns.
Install Mechanism
Instruction-only skill with no install steps or downloaded code — low installation risk. There are no binaries or archives to fetch.
Credentials
Only one credential is requested (NEMO_TOKEN), which is appropriate for a cloud service. The skill will fallback to obtaining an anonymous token from the remote API if no token is present. Be aware that any provided NEMO_TOKEN is a bearer token for the external service and must be trusted.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation behavior. It does not request system-wide modifications or elevated privileges in the instructions.
Scan Findings in Context
[no-findings] expected: The static regex-based scanner found nothing because the skill is instruction-only (no code files) — there was nothing for the scanner to analyze.
What to consider before installing
This skill will upload whichever video files you give it to the external domain mega-api-prod.nemovideo.ai and uses a bearer token (NEMO_TOKEN) or an anonymous token it fetches for you. Confirm you trust that service with your videos and metadata before using it. Note the SKILL.md frontmatter references a local config path (~/.config/nemovideo/) even though the registry shows none — ask the publisher why that path is needed. If you have sensitive content, avoid uploading it or verify the vendor's privacy/retention policy. Only provide a NEMO_TOKEN if it has minimal scope and you trust the owner; otherwise let the skill use the anonymous token path. If you want a stronger assurance, request the skill's source or an official homepage and verify the domain and owner identity before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cg515rj27ghgmj76b7fppe184kc05

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments