Subtitle Extension
AdvisoryAudited by VirusTotal on Apr 27, 2026.
Overview
Type: OpenClaw Skill Name: subtitle-extension Version: 1.0.0 The skill facilitates video subtitle extension by uploading user files (up to 500MB) to a remote GPU rendering service at mega-api-prod.nemovideo.ai. While these actions are clearly aligned with the stated purpose of cloud-based video editing, the skill's reliance on external network communication, file uploads, and the management of authentication tokens (NEMO_TOKEN) constitutes high-risk behavior under the analysis criteria. The instructions also direct the agent to probe its environment to detect the host platform (e.g., clawhub vs. cursor) via its install path, which is a form of environment fingerprinting.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may perform broader remote video-editing actions if the user asks for them, not just subtitle duration extension.
The visible instructions route broad video-editing requests to a remote SSE agent endpoint, which is broader than the subtitle-only title but still user-prompted and within the video-editing domain.
| Everything else (generate, edit, add BGM…) | → §3.1 SSE | ❌ |
Keep prompts specific and review the planned action before uploading media or exporting a rendered file.
The provider token can be used by the skill to create sessions, upload media, check credits, and request renders.
The skill uses a bearer token or obtains an anonymous provider token to create sessions and call NemoVideo APIs. This is expected for the integration, but it is delegated account/session authority.
If `NEMO_TOKEN` is in the environment, use it directly ... Otherwise, acquire a free starter token
Use a dedicated NemoVideo token where possible and avoid sharing tokens tied to accounts or content you do not want this skill to access.
Uploaded videos, prompts, and generated render data are processed by a third-party backend rather than locally.
The skill sends user-selected video or media files to the NemoVideo cloud API for processing. This external data flow is disclosed and purpose-aligned, but media may contain private content.
Upload: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`
Only upload media you are comfortable sending to NemoVideo, and review the provider's privacy and retention terms for sensitive content.
A user may not see the exact backend connection or token/session steps unless they ask.
This may reduce user visibility into session creation and API calls during normal chat. The skill document itself does disclose server-side rendering and API details, so this is a transparency note rather than a deception concern.
Tell the user you're ready. Keep the technical details out of the chat.
Ask the agent to summarize when it connects to the backend, uploads a file, starts a render, or retrieves a download URL.