ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Caption Generator Hitler

v1.0.0

add video clips into captioned video files with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. educators, documentary creators, history conten...

0· 50·0 current·0 all-time
by@whitejohnk-26
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (captioning historical videos) aligns with the runtime actions: obtaining a token, creating a session, uploading videos, requesting renders at nemovideo.ai. Requesting NEMO_TOKEN as the primary credential is expected. However the frontmatter metadata mentions a config path (~/.config/nemovideo/) even though the registry metadata listed no required config paths — that's an inconsistency worth questioning.
!
Instruction Scope
Instructions require contacting an external API and uploading user media (expected for cloud captioning). They also instruct the agent to read this file's frontmatter for attribution headers and to detect the agent's install path (~/.clawhub/ or ~/.cursor/skills/) to set X-Skill-Platform — that requires probing local filesystem/paths beyond simply using a provided token. While these actions can be justified for attribution, they broaden the skill's scope and should be explicitly authorized.
Install Mechanism
No install spec or code files — instruction-only skill. No downloads or archive extraction. This is lower risk since nothing is written/executed locally by an installer.
Credentials
The only declared required env var is NEMO_TOKEN (primaryEnv), which fits the described API usage. But the SKILL.md frontmatter also lists a configPaths entry (~/.config/nemovideo/) that could expose local config files if the agent follows that metadata; the registry-level requirements did not declare this. Confirm whether the skill will actually read that path and what it would look for before supplying credentials.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It stores short-lived session IDs for render jobs (normal). It does not declare modifying other skills or system-wide settings.
What to consider before installing
This skill will upload your video files to an external service (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN to authenticate. Before installing or invoking: (1) Verify you are comfortable uploading the video content (privacy/rights implications). (2) Prefer the anonymous token flow if you don't want to supply a long-lived credential; check how long tokens/credits last. (3) Ask the skill author (or registry) to clarify the configPaths/inconsistency — will the agent read ~/.config/nemovideo/ or probe installation paths? If so, what will it read and why? (4) Confirm the service's domain and review its privacy/retention policy if you plan to upload sensitive footage. (5) If you have concerns, don't provide any persistent/privileged credentials; use ephemeral/anonymous tokens or test with non-sensitive media first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9768yn5qcz6942prwt6fj7zeh84qsg0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments