ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Subtitle Generator Github

v1.0.0

Get captioned video files ready to post, without touching a single slider. Upload your video files (MP4, MOV, AVI, WebM, up to 500MB), say something like "ge...

0· 21·0 current·0 all-time
by@mhogan2013-9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to call an external video-processing API and requires a NEMO_TOKEN — that is coherent for a cloud subtitle/renderer. However the SKILL.md metadata lists a config path (~/.config/nemovideo/) that the registry metadata did not; this mismatch is unexplained and should be clarified.
!
Instruction Scope
Runtime instructions direct the agent to create anonymous tokens, store session_id values, upload user video files, and include derived headers. They also instruct deriving X-Skill-Platform by inspecting install paths (e.g., ~/.clawhub/, ~/.cursor/skills/). Reading an agent install path or other filesystem locations is outside the stated uploading/processing purpose and is not declared in the registry — this is scope creep and requires explicit consent/clarification.
Install Mechanism
No install spec or code is present (instruction-only), so nothing will be written to disk by an installer. That lowers risk; however runtime network calls will be made to an external API domain.
Credentials
Only NEMO_TOKEN is declared as required, which is proportionate for a third‑party API. The skill will also generate an anonymous token via the external API if NEMO_TOKEN is absent — this behavior is reasonable but means the agent will perform outbound requests and store tokens/session IDs.
Persistence & Privilege
The skill requests storing session_id for subsequent requests and references a config path in its metadata. It does not request always:true or other elevated privileges. Persisting a session token is plausible, but the registry/doc mismatch about config paths and the unspecified storage location are points to clarify.
What to consider before installing
This skill appears to do what it says (upload video files to a cloud renderer) and only asks for a single API token (NEMO_TOKEN), which is appropriate. Things to check before installing/use: 1) Confirm you trust the external domain (mega-api-prod.nemovideo.ai) since the skill will upload video/audio and obtain/store tokens/sessions there. 2) Ask the maintainer to explain the discrepancy between the registry (no config paths) and the SKILL.md metadata (~/.config/nemovideo/) and to state exactly where session tokens will be stored. 3) If you prefer not to have the agent inspect local install paths, require a setting or permission to skip X-Skill-Platform detection. 4) Consider using a limited/scoped token or anonymous account for testing rather than a sensitive credential. If these clarifications are not addressed, treat the skill with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f5ka9brx9g56dy372zkax9984qzd0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments