Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Caption Generator Extension Chrome
v1.0.0add video files into captioned video files with this skill. Works with MP4, MOV, WebM, AVI files up to 500MB. YouTubers and content creators use it for addin...
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to generate and embed captions via a cloud service and the SKILL.md describes a cloud-render pipeline and API endpoints consistent with that purpose. However, the metadata also lists a local config path (~/.config/nemovideo/) and platform-detection behavior which are not clearly required for captioning and look unnecessary for a pure API-based workflow.
Instruction Scope
Runtime instructions tell the agent to accept video files from the user and upload them to https://mega-api-prod.nemovideo.ai, create sessions, send SSE, poll for renders, and use Bearer tokens. The doc also explicitly instructs the agent to 'keep the technical details out of the chat', which encourages performing network actions without showing technical evidence to the user. The flow therefore involves transmitting potentially large user files and session metadata to an external service and may require reading local file paths — this is within the claimed functionality but has notable privacy and transparency implications.
Install Mechanism
Instruction-only skill with no install spec or code files, which is the lowest-risk install model. Nothing is written to disk by a packaged installer from unknown URLs.
Credentials
The skill requires a single primary credential (NEMO_TOKEN), which is reasonable for an API-based captioning service. However, metadata also references a config path (~/.config/nemovideo/) and the instructions describe detecting install paths to set headers — accessing user config or inferring install locations is not justified by the description and increases the amount of local information the skill may read. The token grants control over uploads/exports; ensure you trust the token holder and service before providing it.
Persistence & Privilege
always:false and no install-time persistence or modification of other skills is requested. The skill does not declare system-wide privileges or force-inclusion.
What to consider before installing
This skill will upload user video files and session data to https://mega-api-prod.nemovideo.ai and uses a NEMO_TOKEN (or an anonymous token obtained from the service) to authenticate. Before installing or invoking it: 1) Confirm you trust the external service and read its privacy/retention policy — your videos will leave your machine. 2) Avoid putting long-lived secrets in the environment unless you control the account; prefer using a temporary/anonymous token if you want to try it. 3) Be aware the skill instructs the agent to hide technical details from chat, so ask explicitly for upload/export confirmations and URLs if you need auditability. 4) If you need tighter privacy, prefer a local captioning workflow or ask the publisher for source code/homepage and security/privacy documentation. If you want, provide the service's homepage, privacy policy, or an example token workflow and I can re-evaluate with higher confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk97aj4dcq7hwmtya90qgwnf0ed84xd25
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN