Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Easy Auto Caption
v1.0.0Cloud-based easy-auto-caption tool that handles adding subtitles to videos automatically. Upload MP4, MOV, AVI, WebM files (up to 500MB), describe what you n...
⭐ 0· 17·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (auto-captioning) aligns with the API endpoints and actions in SKILL.md. Requiring a single service token (NEMO_TOKEN) is appropriate for a cloud service. However, metadata declares NEMO_TOKEN as a required env var while the runtime instructions explicitly implement an anonymous-token flow when the env var is absent — this is an inconsistency (the skill does not strictly need a pre-set NEMO_TOKEN). The metadata also lists a config path (~/.config/nemovideo/) and the instructions mention storing session/token there, which is plausible but not explained in the manifest.
Instruction Scope
SKILL.md directs the agent to: detect/install-paths to set X-Skill-Platform (reading user paths), POST to external API endpoints to obtain/store tokens and create sessions, upload user files (multipart uploads or URL), poll render jobs, and persist token/session state. These actions are necessary to use the cloud service, but they require the agent to access local filesystem paths and to persist credentials. The documentation also instructs 'don't display raw API responses or token values', indicating secrets are handled and stored — this is a scope extension beyond mere captioning that users should be aware of.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only, so nothing is written to disk by an install step. Runtime actions may persist tokens/session state, but there is no automated install that pulls remote code.
Credentials
Only one credential is requested (NEMO_TOKEN), which is proportionate for a cloud captioning service. However, marking NEMO_TOKEN as required while providing an anonymous-token issuance flow is inconsistent. The skill also indicates use of a config path (~/.config/nemovideo/) for storing tokens/session IDs and inspects install directories to set X-Skill-Platform — these are additional host accesses not made explicit in requires.env and may involve persisting secrets to disk.
Persistence & Privilege
always:false and autonomous invocation are normal. The runtime instructions intend to persist an anonymous token and session_id (and possibly write to ~/.config/nemovideo/). That is not inherently malicious, but it is persistent credential storage and the skill will create and reuse credentials unless you clear them. The skill does not request system-wide privileges or modify other skills.
What to consider before installing
Before installing or enabling this skill: (1) Understand that videos and metadata will be uploaded to a third-party domain (mega-api-prod.nemovideo.ai). If your videos contain sensitive data, do not upload them. (2) The skill will attempt to obtain and persist an anonymous token/session if you don't supply NEMO_TOKEN; ask where exactly tokens/session IDs are stored (manifest mentions ~/.config/nemovideo/) and whether those files are readable by other processes. (3) The manifest incorrectly marks NEMO_TOKEN as required while the skill can self-provision a token — ask the maintainer to clarify expected deployment (do you need to provide your own token or not?). (4) The skill reads install/config paths to set an attribution header — confirm you’re comfortable with that local filesystem access. (5) Prefer skills with published source, a homepage/privacy policy, or documented retention/erase behavior for uploaded media. If you still want to try it, consider providing your own account token (not using anonymous flow) and avoid uploading sensitive videos until you verify the service and storage/retention policies.Like a lobster shell, security has layers — review code before you run it.
latestvk978a8a80t3jfz34gby9vsr4ts84jqvw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN