Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Caption Generator Jobs
v1.0.0Skip the learning curve of professional editing software. Describe what you want — generate accurate captions in English and Spanish for this video — and get...
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description describe automated captioning and the SKILL.md instructs calls to a nemo video backend and use of NEMO_TOKEN — this is coherent. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata says no required config paths, which is an internal inconsistency worth asking the author to clarify.
Instruction Scope
The runtime instructions explicitly upload user video files and related assets to https://mega-api-prod.nemovideo.ai and require Authorization headers. Uploading user-provided media to an external cloud service is expected for this skill but is a sensitive action: the instructions will transmit possibly private media off-device. The skill also instructs generating an anonymous token (via POST) when no NEMO_TOKEN is present, which is reasonable, but you should be aware it performs network authentication and stores/uses tokens. The YAML also describes deriving X-Skill-Platform from an install path (e.g., ~/.clawhub/), implying the runtime may inspect install paths; the registry showed no config paths required — another inconsistency.
Install Mechanism
No install spec and no code files — the skill is instruction-only, which minimizes on-disk installation risk (nothing is downloaded or executed by an installer).
Credentials
Only a single credential (NEMO_TOKEN) is declared as required; that is proportionate for a cloud captioning service. The instructions also create an anonymous token if NEMO_TOKEN is missing, which is consistent. Still, the frontmatter references a config path (~/.config/nemovideo/) that the registry didn't list; if the runtime actually reads that path it could access local files unexpectedly.
Persistence & Privilege
The skill is not marked 'always' and does not request special persistent privileges. It does not claim to modify other skills or system configuration.
What to consider before installing
This skill appears to do what it says — it will upload videos to mega-api-prod.nemovideo.ai and use a NEMO_TOKEN (or obtain a short-lived anonymous token) to run captioning. Before installing or using it:
- Be aware that any videos you upload will be transmitted to and processed by an external service (possible privacy/legal implications). Avoid uploading sensitive or private footage unless you trust the service and reviewed its privacy policy.
- Confirm the domain (nemovideo.ai) is the official provider you expect. If you have an enterprise or paid account, prefer supplying your own NEMO_TOKEN rather than relying on anonymous tokens.
- Ask the skill author to clarify the metadata mismatch: the SKILL.md frontmatter references ~/.config/nemovideo/ while registry metadata lists no required config paths. Confirm whether the skill will read local config files or paths.
- If you want to limit exposure, do a small test with non-sensitive media first and monitor outgoing network requests. Revoke or rotate any tokens you supply if you stop using the skill.
Given the metadata inconsistencies and the fact it will transmit files externally, treat this as a reviewed but potentially privacy-sensitive skill; proceed only after confirming the points above.Like a lobster shell, security has layers — review code before you run it.
latestvk97dph6sc7m75221eqk79k0e7984srtg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN