ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Caption Generator In Video

v1.0.0

add video files into captioned video files with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. YouTubers, TikTok creators, marketers use it fo...

0· 32·0 current·0 all-time
by@tk8544-b
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is a wrapper around a cloud captioning API and only requests a single credential (NEMO_TOKEN), which is coherent with its stated purpose. However, the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this mismatch is an inconsistency to confirm with the author.
Instruction Scope
Instructions are focused on uploading videos, creating sessions, SSE interaction, and polling render status on mega-api-prod.nemovideo.ai, which fits the described functionality. The instructions also tell the agent to detect platform by checking install paths (~/.clawhub/, ~/.cursor/skills/) and to read the skill's own frontmatter for attribution — this implies filesystem reads of user home paths (limited, but outside the API itself) and should be noted.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only so nothing is downloaded or written by an installer. This minimizes install-time risk.
Credentials
Only NEMO_TOKEN is required as a credential and that aligns with a cloud API usage pattern. The SKILL.md also documents a flow to obtain an anonymous token via POST, which is reasonable. The earlier registry summary stated 'required config paths: none' while the SKILL.md frontmatter lists ~/.config/nemovideo/ — this inconsistency should be clarified. No unrelated secrets are requested.
Persistence & Privilege
The skill does not request always: true, does not include an install step that persists code, and does not ask to modify other skills or global agent settings. The default ability to invoke autonomously remains but is typical for skills.
What to consider before installing
This skill appears to be an instruction-only integration with a cloud captioning API and asks for a single token (NEMO_TOKEN) — which is expected. Before installing or enabling it: 1) Verify the API host (mega-api-prod.nemovideo.ai) and the vendor (no homepage provided) so you know where your videos will be uploaded. 2) Prefer using an anonymous or short-lived token as described if you don't trust long-term access; do not reuse high-privilege credentials. 3) Be aware the skill may read paths in your home directory to detect platform/install location (it references ~/.clawhub and ~/.cursor/skills and lists ~/.config/nemovideo/ in its frontmatter) — confirm whether that is necessary. 4) Avoid uploading sensitive or private video content until you confirm the service's privacy/retention policy. 5) Ask the publisher to resolve the metadata inconsistency (registry vs SKILL.md configPaths) and provide an official homepage or source for additional trust signals.

Like a lobster shell, security has layers — review code before you run it.

latestvk974mg8bbte9cbmfce3ck0pptx84rj1h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments