Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Video Caption Generator
v1.0.2The video-caption-generator skill transcribes spoken audio from your video and burns accurate, readable captions directly into the output file. Upload any cl...
⭐ 0· 63·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (video captioning and burned subtitles) align with the actions described in SKILL.md: it talks to nemovideo API endpoints, handles uploads/exports, and renders captions. The only oddity is a packaging mismatch: the registry metadata lists NEMO_TOKEN as a required env var, while the SKILL.md's Environment Variables table marks NEMO_TOKEN as optional with an auto-generated anonymous-token flow. This inconsistency is likely a packaging/documentation error but should be clarified with the publisher.
Instruction Scope
The instructions are mostly scoped to the nemo service: they instruct the agent to create a session, upload video, request renders, and include explicit headers. The skill persists a client_id to ~/.config/nemovideo/client_id (documented and declared in configPaths). Two points to note: (1) ALL API requests must include X-Skill-Source/X-Skill-Version/X-Skill-Platform headers—X-Skill-Platform may disclose the skill's install path or a SKILL_SOURCE env var; (2) the skill will upload whole video files to https://mega-api-prod.nemovideo.ai, so sensitive video content will leave the machine. The instructions do not ask the agent to read other unrelated files or other credentials.
Install Mechanism
This is instruction-only with no install spec and no code files — lowest-risk install mechanism. Nothing is downloaded or written besides the documented client_id under ~/.config/nemovideo/.
Credentials
Only NEMO_TOKEN (primaryEnv) and optional client-related vars are referenced, which is proportional for a cloud captioning service. However, the registry claims NEMO_TOKEN is required while SKILL.md documents an anonymous token flow and labels NEMO_TOKEN as optional — this mismatch should be resolved. Also be aware that providing NEMO_TOKEN grants the service the ability to receive and process your uploaded videos; ensure the token's scope/expiry/permission model is acceptable. The skill persists a client id (UUID) locally, which is low risk but may be used for tracking/rate-limiting.
Persistence & Privilege
The skill does persist a single client_id under ~/.config/nemovideo/ and requires no special platform privileges; it does not request always:true and does not modify other skills or system-wide settings. This level of persistence is reasonable for maintaining a stable client identifier.
What to consider before installing
Before installing, confirm with the publisher whether NEMO_TOKEN is truly required or if the anonymous token flow is sufficient. Understand that videos you upload will be sent to nemovideo's API (https://mega-api-prod.nemovideo.ai); do not upload sensitive or confidential videos unless you trust the service and have reviewed its privacy policy and token scopes. If you prefer not to supply a long-lived token, use the anonymous-token flow described in SKILL.md and keep tokens revocable and short-lived. Note the skill will persist a small UUID at ~/.config/nemovideo/client_id and will include X-Skill-Source/X-Skill-Platform headers that may reveal the skill's install location—if that concerns you, set SKILL_SOURCE explicitly to a benign value or run the skill in an isolated environment. Finally, if you need higher assurance, ask the publisher for source code or a signed release and test with non-sensitive sample videos first.Like a lobster shell, security has layers — review code before you run it.
latestvk970hmqx88q43hh9ph58z3v8d183snwz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN