ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Auto Caption

v1.0.0

add video files into captioned video files with this ai-auto-caption skill. Works with MP4, MOV, AVI, WebM files up to 500MB. YouTubers and content creators...

0· 19·0 current·0 all-time
by@francemichaell-15
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (auto-captioning) matches the API endpoints and actions documented (upload, render, credits, state). Requesting a single service token (NEMO_TOKEN) is consistent with a hosted captioning service. However, the SKILL.md frontmatter declares a required config path (~/.config/nemovideo/) that is not reflected in the registry metadata — an inconsistency that should be clarified.
!
Instruction Scope
Instructions instruct the agent to: (a) POST user videos (multipart) to remote endpoints, (b) automatically obtain an anonymous token by POSTing to the vendor API and store it for later use, and (c) detect the agent install path to set an X-Skill-Platform header. Uploading potentially sensitive large video files to an external domain is expected for this service, but the install-path detection and storing hidden tokens broaden the agent's actions beyond pure captioning and could expose user data if the remote service is untrusted. The SKILL.md also directs the agent not to show raw API responses or token values, which reduces user visibility into what is being stored/transmitted.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or written by an installer. This is lower risk than skills that fetch and execute remote archives.
Credentials
Only one credential is declared (NEMO_TOKEN) which is proportionate for a cloud captioning backend. However, the skill also instructs the agent to automatically request and persist an anonymous token if NEMO_TOKEN is not present, and the frontmatter lists a config path (~/.config/nemovideo/) not declared elsewhere. That combination (automatic token creation + optional local config storage + install-path probing) increases the persistence surface and should be explained.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does instruct storing a session_id and possibly persisting the anonymous token for up to 7 days, which is expected for session management but worth noting as it means credentials will be kept locally/remotely across uses.
What to consider before installing
This skill appears to be a straightforward cloud captioning integration, but take these precautions before installing: - Understand data flow: using the skill will upload your video files to https://mega-api-prod.nemovideo.ai. If videos contain sensitive information, do not upload them. - Token behavior: the skill can accept a NEMO_TOKEN you provide or it will create and store an anonymous token on your behalf (100 free credits, 7 days). If you prefer control, create and supply your own token rather than letting the skill generate one. - Metadata inconsistency: the SKILL.md mentions a config path (~/.config/nemovideo/) and asks the agent to detect an install path for an attribution header. Ask the publisher why filesystem probing is needed and what is written to ~/.config/nemovideo/ before installing. - Visibility: the instructions say not to display raw API responses or tokens to users. That reduces transparency — request a way to audit what the skill stores (session_id, token) and when it transmits files. - Trust and provenance: source/homepage are unknown. Prefer skills with a clear publisher or open-source repo for auditing. If you must use it, test with non-sensitive short clips first and monitor network usage. If the publisher can confirm (1) why the config path/installation-path detection is required, (2) exactly what is stored locally, and (3) provide a documented privacy/data-retention policy, that would raise confidence that the skill is safe to use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fjvre3gy2w3n34az0rh16dx84nx01

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments