ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Caption Generator For Video

v1.0.0

add video files into captioned video files with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. content creators and marketers use it for addin...

0· 19·0 current·0 all-time
by@dsewell-583h0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md describes uploading videos and creating render/export jobs on a remote nemovideo.ai API and expects a service token (NEMO_TOKEN). Requiring a token for a cloud video-captioning backend is proportional to the stated purpose.
Instruction Scope
Instructions explicitly direct the agent to upload user files (multipart or URL) and to POST/GET to numerous endpoints on mega-api-prod.nemovideo.ai, create sessions, poll renders, and handle SSE. That is expected for cloud rendering, but users should be aware: their video/audio files and any data sent in requests will be transmitted to that third-party service. The skill also instructs auto-acquiring an anonymous token if none is present (POSTing to the auth endpoint) and to auto-detect an install path to set X-Skill-Platform — these require the agent to generate identifiers and possibly inspect environment/paths.
Install Mechanism
No install spec and no code files — instruction-only skill. Lowest install risk since nothing is downloaded or written by an installer.
!
Credentials
PrimaryEnv is NEMO_TOKEN which fits the API usage. However SKILL.md frontmatter metadata includes a configPaths entry (~/.config/nemovideo/) while the registry metadata earlier listed none; this mismatch is unexplained. If the skill expects to read a user config directory, that grants access to potentially sensitive local files (tokens, settings). Confirm whether the agent will read that path and why. Otherwise the single required env var is proportionate.
Persistence & Privilege
always is false and the skill does not request persistent installation or modifications to other skills. It does instruct storing/using a session token returned by the backend for the duration of a job, which is normal for a remote service.
What to consider before installing
This skill appears to be a straightforward cloud captioning integration: it will upload files you provide to mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (it can also request an anonymous token for you). Before installing, consider: (1) Privacy — your videos and audio will be sent to a third-party service; avoid uploading sensitive or confidential content. (2) Config-path mismatch — the SKILL.md suggests access to ~/.config/nemovideo/ but the registry did not list any config paths; ask the author whether the agent will read that directory and what it contains. (3) Token handling — confirm how long tokens (anonymous or provided) are stored and where; anonymous tokens grant credits and could be reused. (4) Verify the API host (mega-api-prod.nemovideo.ai) and check the service's privacy/retention policy. If these points are acceptable or clarified, the skill's behavior aligns with its purpose; otherwise proceed only after clarification.

Like a lobster shell, security has layers — review code before you run it.

latestvk979cjb50s8nsvfgz1abs287qd84qaj8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments