ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Multilingual Video Dubbing

v1.0.0

Get dubbed video files ready to post, without touching a single slider. Upload your video files (MP4, MOV, AVI, WebM, up to 500MB), say something like "dub t...

0· 20·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to do cloud-based multilingual video dubbing and all network calls, endpoints, and the single required credential (NEMO_TOKEN) are consistent with that purpose. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry summary earlier said no config paths are required — this mismatch is unexplained.
!
Instruction Scope
Runtime instructions tell the agent to use NEMO_TOKEN if present, or to request an anonymous token from https://mega-api-prod.nemovideo.ai and then upload user video files to that domain. They also require adding attribution headers on every request. The agent is instructed to access a local config path (per frontmatter) which could contain tokens — reading that directory is not strictly necessary to perform uploads and is not justified in the SKILL.md.
Install Mechanism
No install spec and no code files — instruction-only skill. This is the lowest-risk install mechanism because nothing will be written to disk by an installer.
Credentials
Only one credential is declared (NEMO_TOKEN) which is appropriate for a cloud API integration. The instructions also permit obtaining an anonymous token from the vendor service. The unexplained frontmatter reference to a local config path could permit reading saved credentials and is disproportionate unless the skill uses local tokens for convenience — the SKILL.md does not justify this.
Persistence & Privilege
always:false and normal autonomous invocation settings. The skill does not request permanent platform-level presence. Nothing in the instructions attempts to modify other skills or system-wide agent settings.
What to consider before installing
This skill largely does what it says (uploads videos to a cloud API and returns dubbed files), but there are two things to confirm before installing: (1) The SKILL.md frontmatter references a local config path (~/.config/nemovideo/) that could be read for tokens — ask the author whether the skill will read that directory and why; if you keep any production credentials there, avoid exposing them. (2) The skill will send user video files and metadata to https://mega-api-prod.nemovideo.ai and may obtain anonymous tokens on your behalf — verify the vendor, privacy policy, and retention of uploaded media. If you provide a real NEMO_TOKEN, treat it like any API key (scoped/minimal privileges, rotate if you suspect exposure). If unsure, prefer using an anonymous/starter token or a disposable test account until you confirm the service's behavior and data handling.

Like a lobster shell, security has layers — review code before you run it.

latestvk979pxd6vms5r6abfhj1ew8r7d853j90

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎙️ Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments