Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Subtitle Generator Download
v1.0.0Turn a 3-minute YouTube tutorial video into 1080p captioned video files just by typing what you need. Whether it's adding downloadable subtitles to videos or...
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description describe remote subtitle generation and video export; the skill only asks for a single service credential (NEMO_TOKEN) and its runtime instructions call the NemoVideo API endpoints described in the SKILL.md — this is coherent with the stated purpose. Minor inconsistency: the registry metadata lists no required config paths while the SKILL.md frontmatter declares a configPaths entry (~/.config/nemovideo/).
Instruction Scope
Instructions largely stay within the domain of uploading videos, creating sessions, SSE streaming, and polling render status. The skill will: read its own frontmatter for attribution, detect install path to set an X-Skill-Platform header, read NEMO_TOKEN if present, and (if no token) request an anonymous token from a public endpoint. These actions are explainable by the workflow but do mean user videos and metadata will be uploaded to mega-api-prod.nemovideo.ai; the skill also requests reading the install path and its own file metadata which are broader than strictly necessary but understandable for attribution.
Install Mechanism
There is no install spec and no code files — instruction-only skill — so nothing is written to disk by an installer. This is the lowest install risk.
Credentials
Only NEMO_TOKEN is declared as required (primary credential), which matches the described API usage. The SKILL.md additionally describes obtaining an anonymous token automatically if NEMO_TOKEN is absent; this behavior is reasonable but means the skill will perform network auth even without a user-supplied secret. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. It will read the install path and its own frontmatter for header attribution but does not request elevated or persistent system privileges.
Assessment
This skill appears to do what it says: it uploads videos to a NemoVideo backend, creates a session, runs SSE-based generation, and returns a download URL. Before installing, consider: (1) Privacy — your video/audio will be uploaded to https://mega-api-prod.nemovideo.ai; verify you trust that service and its retention policy. (2) Token handling — the skill reads NEMO_TOKEN if present and will automatically obtain a short-lived anonymous token if not; avoid putting highly-privileged credentials in NEMO_TOKEN unless you trust the integration. (3) Attribution headers — the skill reads its own frontmatter and detects install path for X-Skill-Platform, which requires reading some local paths; this is read-only but worth noting. (4) Inconsistency — registry metadata lists no config paths while SKILL.md declares ~/.config/nemovideo/ in its frontmatter; you may want clarification from the author. If you’re comfortable with the external service and its policies, the skill is internally coherent. If you need higher assurance, ask the publisher for a provenance/hosting statement or use a disposable token.Like a lobster shell, security has layers — review code before you run it.
latestvk97fs8andgq6ft6hreyh598rz984rybk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN