ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Subtitle Generator

v1.0.0

YouTubers and content creators add video files into captioned videos using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on cloud GPUs at 1080...

0· 0·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (subtitle generation for video files) aligns with the endpoints and actions in SKILL.md (upload, render, export). However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) that is not reflected in the registry metadata — this mismatch is unexplained and should be clarified.
Instruction Scope
Runtime instructions explicitly send user video files and metadata to an external API (mega-api-prod.nemovideo.ai) and will POST to an anonymous-token endpoint to obtain a NEMO_TOKEN if one is not present. That behavior is consistent with a cloud render service, but it means user files and generated tokens are transmitted to an external service — confirm the domain and privacy policy before uploading sensitive content. The skill also derives some headers from install path detection (reading install path) which implies filesystem context access.
Install Mechanism
No install spec and no code files (instruction-only) — lowest install risk. Nothing is written to disk by an installer.
Credentials
Only NEMO_TOKEN is required, which is proportionate for an API-backed service. However SKILL.md metadata references an additional config path (~/.config/nemovideo/) even though the registry lists no required config paths — this inconsistency should be resolved. Also the skill will create or fetch an anonymous NEMO_TOKEN if none is present, which is functional but worth awareness.
Persistence & Privilege
always:false and no install-time persistence requested. The skill does not request elevated system privileges or modify other skills. It will, however, maintain session state (session_id) for interaction with the remote backend as expected.
What to consider before installing
This skill behaves like a cloud subtitle/render service: it will upload your video files to mega-api-prod.nemovideo.ai, include an Authorization Bearer token (NEMO_TOKEN) on requests, and can obtain an anonymous token for you if you don't supply one. Before installing/using it: 1) Verify the service domain (mega-api-prod.nemovideo.ai) and check for a legitimate homepage/privacy policy and TLS certificate — there is no homepage listed in the registry. 2) Prefer supplying your own NEMO_TOKEN if you have an account rather than letting the skill obtain an anonymous token. 3) Do not upload sensitive or private videos until you confirm the service’s data retention/privacy terms. 4) Ask the publisher to explain the metadata mismatch (registry says no config paths, SKILL.md lists ~/.config/nemovideo/) and why the skill needs to detect install paths for header construction. 5) Test first with a short, non-sensitive clip to observe behavior. If the publisher cannot be identified or you cannot validate the external service, treat it as untrusted and avoid uploading private content.

Like a lobster shell, security has layers — review code before you run it.

latestvk972352jhvk2vvz1n30t5pekgd84jcxm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments