Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Nemo Subtitle
v1.8.13Turn any video into a captioned, subtitle-ready file entirely through conversation — no video editor or timeline required. Drop in your mp4, mov, avi, webm,...
⭐ 0· 239·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's capabilities (transcribe, translate, export SRT/VTT, burn subtitles) align with the described API usage. However the SKILL.md metadata and the later 'Setup' section disagree about the required credential name (metadata lists NEMO_TOKEN; the Setup section references NEMOVIDEO_API_KEY). The preamble metadata also declares a config path (~/.config/nemovideo/) while the registry summary reported none. These mismatches are likely documentation drift but are inconsistent with the claimed purpose surface.
Instruction Scope
Runtime instructions require reading and writing ~/.config/nemovideo/client_id (read existing client_id or generate and save a UUID) and instruct running a curl POST to acquire an anonymous token. The instructions also direct storing the returned token as NEMO_TOKEN 'for this session' — it's unclear whether that persists to disk or only in-memory. Writing files under the user's home directory and inserting env tokens are beyond simple read-only 'instruction-only' behavior and should be explicit and justified. The API variable usage is inconsistent ($API vs apiDomain) which could lead to the agent contacting the wrong endpoint.
Install Mechanism
No install spec or external downloads are present (instruction-only). This is the lower-risk pattern because nothing is written to disk by an installer; risk comes from the instructions themselves, not an install step.
Credentials
Requesting an API token is proportionate to the skill's claimed functionality. However the doc inconsistently refers to at least two different environment variable names (NEMO_TOKEN vs NEMOVIDEO_API_KEY) and different header names (Authorization: Bearer <NEMOVIDEO_API_KEY> vs earlier mention of NEMO_TOKEN). That ambiguity increases risk of misconfiguration or accidental exposure of the wrong secret. No unrelated credentials (AWS, GitHub, etc.) are requested.
Persistence & Privilege
The skill asks to read/write a client_id file under ~/.config/nemovideo/ and to store a token for the session. While creating a client-id in a dedicated config path is reasonable for a client library, it is a form of persistence into the user's home directory and should be disclosed explicitly. The skill does not request 'always: true' or system-wide config changes, but the write-to-home behavior is a notable privilege for an instruction-only skill.
What to consider before installing
Before installing or invoking this skill: 1) Ask the developer which exact environment variable they require (NEMO_TOKEN or NEMOVIDEO_API_KEY) and how tokens are stored (ephemeral in-memory vs written to disk). 2) Confirm the exact API base URL the agent will call (the SKILL.md uses both apiDomain and $API). 3) If you are uncomfortable with files being written to your home dir, request an option to keep client_id and tokens ephemeral or to store them in OpenClaw secrets only. 4) Prefer providing a scoped API key or anonymous token via platform-managed secrets rather than setting global environment variables. 5) Verify the homepage/repository listed (https://nemovideo.com and the GitHub repo) to ensure the code and docs match what the skill declares. If the developer cannot clarify the env/config inconsistencies, treat this skill as higher risk and avoid granting real secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk9787xa7jzt67n43gnv45c48ss84bh3v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💬 Clawdis