ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Subtitle Maker Free

v1.0.0

Paste your video link or drop an MP4 file and this free subtitle maker generates accurate, time-synced captions in under 2 minutes. It's a full online captio...

0· 12·0 current·0 all-time
by@vynbosserman65
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (generate time‑synced captions via a cloud backend) matches the runtime API calls to nemovideo.ai. However the skill metadata declares NEMO_TOKEN as required and lists a config path (~/.config/nemovideo/) even though the SKILL.md also documents an anonymous token flow when no NEMO_TOKEN is present. That mismatch between declared requirements and the instructions is inconsistent and unclear.
Instruction Scope
SKILL.md limits operations to interacting with the nemovideo.ai API (session creation, SSE chat, upload, export, state/credits). It does not instruct reading unrelated system files or other credentials. It does reference reading its own frontmatter and detecting install path to set X-Skill-Platform, which is plausible for attribution but should be done carefully.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. No downloads or external installers are run.
!
Credentials
The primary credential NEMO_TOKEN is appropriate for a cloud API, but the metadata declares it as required while the runtime instructions include a fully described anonymous-token acquisition flow (POST to /api/auth/anonymous-token). The declared configPaths (~/.config/nemovideo/) are not referenced elsewhere in the instructions. This inconsistency raises questions (is a pre-provisioned token required for higher quota or does the skill always create a token?) and whether the skill expects access to user config data it doesn't actually need.
Persistence & Privilege
The skill does not request always:true or any special persistent privileges. It does perform network calls to an external backend (expected for the stated purpose) and stores output on that backend for 24 hours per the instructions — that is a behavioral property to consider but not a privilege escalation.
What to consider before installing
This skill will upload your video/audio to a third‑party cloud (mega-api-prod.nemovideo.ai) and use a bearer token (NEMO_TOKEN) for operations. Metadata says NEMO_TOKEN is required but the instructions also describe generating an anonymous token if none is present — ask the author which behavior applies (pre-supplied token likely gives higher/quicker quota). Don't upload sensitive or private videos unless you trust nemovideo.ai; outputs are retained for 24 hours. Because the skill source/homepage are unknown and metadata contains inconsistent fields, consider: (1) ask the publisher for a homepage/privacy policy and clarification about tokens and retention, (2) prefer using an anonymous token or a scoped account token you can revoke, (3) avoid supplying unrelated credentials, and (4) test with non-sensitive sample media first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9708ax4bx1mt1h0fz83s6z8p584e9gj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments