ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Auto Subtitle Generator

v1.0.4

The free-auto-subtitle-generator skill on ClawHub detects speech in your video and burns accurate, timed subtitles directly into the footage — no manual sync...

0· 83·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the required artifacts: the skill orchestrates speech-to-text and burned-in caption rendering via the nemovideo API. Requesting a NEMO_TOKEN API credential and offering an anonymous-token fallback is coherent for a hosted service that performs rendering/transcription.
Instruction Scope
The SKILL.md instructs the agent to read/write ~/.config/nemovideo/client_id, to call nemovideo authentication and API endpoints via curl, and to persist an anonymous-client ID. These actions are expected for a service that rate-limits by client ID, but they do cause local file I/O and network requests to the documented API domain; review whether you are comfortable uploading videos to that third-party service and persisting a client_id file.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only and relies on existing system tooling (curl, uuidgen). This is the lowest install risk surface; nothing is downloaded or extracted.
Credentials
The skill requires a single service credential (NEMO_TOKEN) and documents that it can auto-generate an anonymous token if none is provided. Optional env vars (API URL, web URL, client ID) are appropriate for a hosted API client. No unrelated secrets or cloud credentials are requested.
Persistence & Privilege
The skill persists a Client-Id UUID at ~/.config/nemovideo/client_id to avoid token rate limits; this file is non-secret (UUID only). The skill does not request always:true and does not require elevated system privileges. If you prefer, you can pre-create or inspect this file before using the skill.
Assessment
This skill appears to do what it says: it will call nemovideo's API to transcribe and burn subtitles into videos. Before installing, consider: (1) the skill will send your video data to https://mega-api-prod.nemovideo.ai — do not upload sensitive footage unless you trust the service and its privacy/terms; (2) it will create ~/.config/nemovideo/client_id (a non-secret UUID) and may store a short-lived NEMO_TOKEN for the session; (3) you can supply your own NEMO_TOKEN if you prefer not to use the anonymous flow; (4) there is no code install or downloaded binary, but network I/O and local file I/O will occur as documented. If you want lower risk, inspect the conversations/logs the agent would generate, or avoid sending private videos to the remote API. If you want further analysis, provide the rest of the SKILL.md (it was truncated) or the linked repository for a deeper code review.

Like a lobster shell, security has layers — review code before you run it.

latestvk974n0f26627wytv8c6pm880ys83qyqp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments