ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Subtitle Viewer

v1.0.0

Cloud-based subtitle-viewer tool that handles viewing and burning subtitles onto videos. Upload MP4, MOV, AVI, WebM files (up to 500MB), describe what you ne...

0· 8·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (cloud subtitle viewing and burn-in) align with the declared primary credential (NEMO_TOKEN) and the API-based upload/render workflow described in SKILL.md. One minor inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/), while the registry metadata reported no required config paths.
Instruction Scope
Instructions are focused on creating a session, uploading video files, and polling for render results — all consistent with the stated purpose. The skill instructs the agent to obtain an anonymous token if NEMO_TOKEN is absent and to hide technical details from the chat, and it requires uploading user files to an external domain (mega-api-prod.nemovideo.ai). Be aware this transmits video data and authorization tokens off-device; the agent is told to avoid surfacing the technical exchange to the user.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal disk/write risk. Runtime network calls to the service are expected for a cloud render tool.
Credentials
Only NEMO_TOKEN is required (primaryEnv), which is proportionate for an API-backed renderer. The skill also instructs creating or retrieving an anonymous token automatically if NEMO_TOKEN is missing. Metadata references a config path (~/.config/nemovideo/), which could imply reading user config; the registry listing did not declare that path, so the discrepancy should be clarified.
Persistence & Privilege
always is false and no install steps are present. The skill does not request permanent platform privileges or attempt to modify other skills or system-wide settings.
Assessment
This skill will upload any video you send to an external service (mega-api-prod.nemovideo.ai) and use a bearer token (NEMO_TOKEN or an anonymously fetched token) for authorization. Before using it: (1) don't send sensitive or confidential videos unless you trust the service and its privacy terms; (2) verify the service domain and look for an official homepage/privacy policy or source code — none are provided here; (3) if you already have a NEMO_TOKEN, understand what that token permits and revoke it if necessary; (4) ask the skill author to explain the config path mention (~/.config/nemovideo/) and why registry metadata omitted it. If you need stronger assurance, prefer a skill with a known vendor, homepage, or source code you can inspect.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cc7qhdn4ej4jhh64s0hfmn984kq22

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments