Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Subtitle Video Generator
v1.2.1The subtitle-video-generator skill by ClawHub transcribes your video's audio and burns accurate, styled subtitles directly into the footage — no manual synci...
⭐ 0· 117·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (auto‑caption and burn subtitles) aligns with the instructions to call nemovideo's API and upload files. Requesting an API token (NEMO_TOKEN) is expected. However, the registry metadata and SKILL.md disagree: the registry said no required config paths while the SKILL.md metadata references ~/.config/nemovideo/; registry marks NEMO_TOKEN as required but SKILL.md documents it as auto-generated/optional. These inconsistencies should be resolved.
Instruction Scope
The SKILL.md instructs the agent to (a) greet proactively on first contact, (b) read/write ~/.config/nemovideo/client_id, (c) request an anonymous token via curl to https://mega-api-prod.nemovideo.ai and store that token in NEMO_TOKEN for the session, and (d) upload user video files to the API. Uploading user videos and exchanging tokens with the external service is expected for this skill, but it means user media will be transmitted to a third party. Also, the file path access (home config file) is outside the agent's ephemeral memory and is persistent — the skill explicitly writes a file.
Install Mechanism
Instruction-only skill (no install spec, no code files) — lowest risk from install. Nothing is downloaded or executed locally beyond standard curl calls described in the instructions.
Credentials
The skill's declared primary credential (NEMO_TOKEN) is appropriate. The SKILL.md also documents optional env vars (NEMO_API_URL, NEMO_WEB_URL, NEMO_CLIENT_ID, SKILL_SOURCE) which are reasonable. But the registry lists NEMO_TOKEN as required while the SKILL.md says it will auto-generate an anonymous token if absent — this mismatch should be clarified. The token grants API access and therefore controls uploads/credits; treat it like a secret.
Persistence & Privilege
The skill will persist a client_id to ~/.config/nemovideo/client_id (UUID only) to avoid rate limits. Persisting a small non-secret ID is plausible for this use-case, but it is persistent filesystem access. always:false (normal). The skill does not request system-wide privileges, but persistence to the user's home directory and storing a token for the session are notable and should be made explicit to users.
What to consider before installing
Before installing, be aware that this skill uploads your video files and related data to https://mega-api-prod.nemovideo.ai (nemovideo.com). Confirm you trust that third party and its privacy policies. Ask the publisher to clarify the metadata mismatches (registry says no config path and required token, SKILL.md says client_id is persisted and token can be auto‑generated). If you proceed, consider: (1) testing with non‑sensitive videos first; (2) creating a dedicated service account or revocable token; (3) inspecting the full SKILL.md/repository to confirm there is no unexpected behavior; and (4) checking that the persisted file is only a UUID (open it) and that tokens are not written to disk. If you need higher assurance, request the full skill source code or a signed release before trusting sensitive content.Like a lobster shell, security has layers — review code before you run it.
latestvk97f3qde4t2w6rk5eyx4tag6kd83ww5a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN