ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Caption Generator Canva

v1.0.0

Get captioned video files ready to post, without touching a single slider. Upload your video clips (MP4, MOV, AVI, WebM, up to 500MB), say something like "ad...

0· 47·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and runtime instructions consistently describe a cloud-based captioning/render pipeline (session creation, upload, SSE, render/export). Requiring a NEMO_TOKEN is proportionate for a third‑party API.
Instruction Scope
Instructions describe uploading user video files and streaming SSE from mega-api-prod.nemovideo.ai and include logic for anonymous token acquisition. They also instruct deriving an X-Skill-Platform header by probing install paths (~/.clawhub/, ~/.cursor/skills/) — that implicitly requires checking the user's filesystem for those paths, which is unnecessary for functionality and a potential privacy surface.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill package itself (lowest install risk).
Credentials
Only NEMO_TOKEN is declared as required; that's appropriate for this API. The SKILL.md also mentions a config path (~/.config/nemovideo/) in its frontmatter metadata while the registry summary listed no required config paths — a minor inconsistency. The skill will fallback to requesting/generating an anonymous token if NEMO_TOKEN is absent, which means it will still upload user data to the remote service even without user-provided credentials.
Persistence & Privilege
always is false and there's no install-time persistence or cross-skill configuration changes. The skill can be invoked autonomously by the agent (platform default), which increases blast radius only insofar as the service it contacts is trusted.
What to consider before installing
This skill appears to do what it says (cloud captioning) and only needs a single API token, but there are three things to consider before installing: (1) Source trust: the skill has no homepage or known publisher — verify who runs mega-api-prod.nemovideo.ai before sending private videos. (2) Data flow: your uploaded videos and audio will be sent to that external service (even if you don't supply a NEMO_TOKEN, the skill can obtain an anonymous token to proceed). Don't use it for sensitive/personal content unless you trust the provider and understand retention/processing policies. (3) Minor metadata inconsistency: SKILL.md mentions a config path and install-path probing for X-Skill-Platform headers, which implies the agent may check your home directories; if you want to avoid that, ask the skill maintainer to remove filesystem probing and accept 'unknown' as the platform. If you decide to proceed, prefer using a limited-scope token, review the provider's privacy/terms, and test with non-sensitive sample media first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fjmgj1v0exkhf5s8edc9w3984p151

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments