ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Subtitle Sync Tool

v1.0.0

Subtitles that arrive one second late ruin the viewing experience. The speaker finishes a sentence and the text lingers, disconnected from the voice that pro...

0· 72·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill describes audio analysis and speech-recognition-based re-timing (which could legitimately require a remote ASR service). However the registry metadata declares a primary credential NEMO_TOKEN and a config path (~/.config/nemovideo/) even though requires.env is empty and the visible SKILL.md text does not document any dependency on a remote service or explain the purpose of that token/config. That mismatch is unexplained and deserves clarification.
Instruction Scope
The SKILL.md describes reading video/audio and subtitle files and performing waveform/speech alignment — these actions are appropriate for the stated purpose. The provided excerpt does not instruct access to unrelated system files. However the instructions (as provided) do not state whether audio/video will be processed locally or uploaded to a remote service, nor do they document use of NEMO_TOKEN or the config path, leaving open the possibility that user media could be transmitted off-host.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written during install. That reduces surface area and is proportionate for a tool that can operate with existing local tooling or APIs.
!
Credentials
A primaryEnv value of NEMO_TOKEN is declared in metadata while requires.env is empty — inconsistent. Requesting a token named like an API credential is potentially reasonable if the skill uses a speech service, but the SKILL.md does not document that dependency, justify the credential's scope, or explain what endpoints will receive user data. The config path (~/.config/nemovideo/) also grants access to user config files and could contain secrets; its presence should be justified.
Persistence & Privilege
The skill does not request always:true and does not declare any persistent installation behavior. It appears user-invocable only and does not request system-wide privileges.
What to consider before installing
This skill looks like a local subtitle re-timing tool, which is fine, but the package metadata names a primary credential (NEMO_TOKEN) and a config path (~/.config/nemovideo/) without documenting why. Before installing or enabling it: 1) Ask the author whether processing is local or if audio/video files are uploaded; if uploads occur, ask for the destination URL, privacy policy, and token scope. 2) Confirm whether NEMO_TOKEN is required and what permissions it grants; prefer short-lived or limited-scope tokens. 3) If you require offline processing for privacy, ask for an explicit offline mode or choose a tool that runs entirely locally. 4) Avoid providing tokens until you can verify the service and data handling; inspect a full SKILL.md (untruncated) or source code to confirm no unexpected exfiltration. If the author cannot answer these, treat the skill as potentially unsafe.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f0sqm5efhbrgd6rg7g6w9a183wm00

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⏱️ Clawdis
Primary envNEMO_TOKEN

Comments