ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Subtitles Free

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — remove the subtitles from this video and give me a clean version — and get...

0· 52·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the runtime instructions: the skill uploads videos to a remote service and asks that service to remove burned-in subtitles. That capability reasonably requires an API token and network access. However, the SKILL.md YAML includes a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this mismatch is unexplained and could indicate sloppy packaging or that the skill may read a local config for tokens.
Instruction Scope
The SKILL.md stays within the stated purpose: create a session, upload video files, request renders, poll status, and return download URLs. It does not instruct the agent to read arbitrary unrelated files or secrets. It does, however, instruct the agent to upload users' video files to a third-party endpoint (https://mega-api-prod.nemovideo.ai) — expected for this feature but a significant privacy consideration.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code — lowest install risk. Nothing is downloaded or written by a packaged installer.
!
Credentials
The skill declares a single primary credential (NEMO_TOKEN), which fits an API-backed service. But SKILL.md also documents an anonymous-token fallback (POST to /api/auth/anonymous-token), meaning the skill can operate without the user's token. Requiring NEMO_TOKEN in registry metadata while providing a public anonymous path is inconsistent. The YAML's mention of a config path (~/.config/nemovideo/) also suggests the skill may try to read local stored credentials — that is not reflected in the registry's 'required config paths' field.
Persistence & Privilege
The skill does not request 'always: true' and does not attempt to modify other skills or system-wide settings. It can be invoked autonomously (default), which increases blast radius if you install it and allow autonomous runs. Also note: uploads and render jobs are server-side and may persist on the remote service (orphaned jobs if you close the client), which is a privacy/retention concern rather than a technical privilege escalation.
What to consider before installing
This skill legitimately uploads your videos to a third-party service to remove subtitles — if that is acceptable, it appears generally coherent. Before installing: (1) Confirm you trust the remote host (https://mega-api-prod.nemovideo.ai) and review its privacy/retention terms; uploaded videos will leave your device. (2) Be cautious about providing a persistent NEMO_TOKEN; if you prefer, let the skill use the anonymous starter token or create a limited-scope token. (3) Ask the publisher to clarify the mismatch about config paths and why the registry marks NEMO_TOKEN required when the skill can obtain an anonymous token. (4) Test first with non-sensitive/sample videos. If you require strict confidentiality, do not upload private content to this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk979y4y25hdka4kkz0tqn25ejx84natf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments