ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Subtitle Extractor

v1.0.0

Turn a 10-minute YouTube tutorial video into 1080p captioned video files just by typing what you need. Whether it's extracting and embedding subtitles from e...

0· 49·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the instructions: the skill routes uploads and render jobs to a cloud rendering backend (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this metadata mismatch is inconsistent and worth clarifying.
!
Instruction Scope
The instructions explicitly upload user video files (multipart file POSTs or URL uploads) and stream SSE responses from the remote API. Uploading user files to an external service is expected for this functionality, but it is sensitive: the skill will transmit full media content and session metadata to mega-api-prod.nemovideo.ai and will obtain or reuse tokens. The SKILL.md also instructs the agent to auto-create an anonymous token if NEMO_TOKEN is missing, which involves contacting the API and storing/using the returned token for subsequent operations. There is no instruction about where (or whether) the anonymous token or session_id is stored locally, which is a scope/privacy concern.
Install Mechanism
Instruction-only skill with no install spec and no code files. This lowers filesystem/installation risk because nothing is downloaded or written by an installer, but runtime network calls to the external API remain the primary risk surface.
Credentials
Only one environment credential is declared (NEMO_TOKEN), which is proportional to a cloud-rendering service. The SKILL.md also documents acquiring an anonymous token when none is present. The frontmatter's inclusion of a config path (~/.config/nemovideo/) is not reflected in the registry metadata and should be clarified because access to config paths could imply additional local state access.
Persistence & Privilege
The skill is not marked always:true and uses normal model-invocation defaults. It does not request elevated platform privileges in the instructions. The main persistence-related behavior is retaining a session_id/token for ongoing operations; the SKILL.md does not say whether tokens/session IDs are persisted to disk.
What to consider before installing
This skill will upload your video files and related session metadata to the remote domain mega-api-prod.nemovideo.ai and will use or obtain a NEMO_TOKEN (it can fetch an anonymous token if you don't provide one). Before installing or using: 1) Confirm you trust the remote service—check its privacy/data-retention policy and who runs the service; 2) If your videos contain sensitive content, avoid uploading them or provide a vetted, self-managed processing option; 3) Clarify how/where tokens and session IDs are stored (in memory only vs written under ~/.config/nemovideo/); 4) Consider supplying your own NEMO_TOKEN only if you trust the provider; 5) Because the skill source is unknown and the registry metadata has a small inconsistency (config path present in SKILL.md but not in registry), proceed cautiously and ask the skill author to explain the discrepancy and the service's data handling practices.

Like a lobster shell, security has layers — review code before you run it.

latestvk970k2h9yd4az6dhp321tcyaxx84qw5y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments