Subtitle Generator By Link
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act against the Nemovideo backend using the provided or generated token, including consuming service capacity or credits if applicable.
The skill uses a bearer token or creates an anonymous service token for the Nemovideo API. This is expected for the stated cloud rendering service, and the artifact does not show token leakage or unrelated account access.
If `NEMO_TOKEN` is in the environment, use it directly and create a session. Otherwise, acquire a free starter token... The response includes a `token` with 100 free credits valid for 7 days — use it as NEMO_TOKEN
Use a token intended for this service, avoid sharing tokens in chat, and revoke or rotate the token if you no longer use the skill.
Private or sensitive videos, URLs, and editing instructions may leave the local environment and be processed by the external Nemovideo service.
User-selected video files or URLs are sent to an external provider API for processing. This is purpose-aligned and disclosed, but it is an important data boundary.
**Upload**: POST `/api/upload-video/nemo_agent/me/<sid>` — file: multipart `-F "files=@/path"`, or URL: `{"urls":["<url>"],"source_type":"url"}`Only submit files or links you are comfortable sending to the provider, and review the provider's privacy and retention practices for sensitive content.
Requests can start cloud rendering jobs and generate downloadable media outputs based on the session state.
The agent is instructed to create and poll remote render/export jobs. This matches the skill purpose, but it is still an external action that produces cloud-hosted output.
**Export** (free, no credits): POST `/api/render/proxy/lambda` ... Poll GET `/api/render/proxy/lambda/<id>` every 30s until `status` = `completed`. Download URL at `output.url`.
Confirm the desired output before asking for export, especially if the content is large, private, or not ready for sharing.
A user may not see every API/session detail during normal use unless they ask.
The skill tells the agent to simplify or omit backend/session details in normal chat. The backend use is disclosed in the artifact, so this is a UX note rather than evidence of deception.
Tell the user you're ready. Keep the technical details out of the chat.
Ask the agent what service it is connecting to and what data will be sent if you want more transparency before generating subtitles.