Movie Subtitle Viewer
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its subtitle-download purpose, but its download code can write files to an unbounded path derived from API data, so users should review it before use.
Only install if you are comfortable providing OpenSubtitles credentials. Before using downloads, ensure the skill saves files only inside a dedicated workspace and does not overwrite existing files; ideally the author should fix path validation and declare the required credentials and dependencies in metadata.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or unexpected subtitle filename, or an unsafe caller-supplied save path, could cause the agent to write outside the intended workspace and potentially overwrite local files accessible to the process.
The default save path can come from subtitle metadata populated from the OpenSubtitles API, and the file is opened directly without path sanitization or workspace enforcement.
if save_path is None:
save_path = subtitle.get('file_name', 'subtitle.srt')
...
with open(save_path, 'wb') as f:
f.write(r2.content)Restrict downloads to a dedicated workspace directory, normalize and validate filenames, reject absolute paths and '..' components, and avoid overwriting existing files unless the user explicitly approves.
Users must provide an API key, username, and password for the OpenSubtitles service, and should treat these as sensitive account credentials.
The skill requires OpenSubtitles account credentials, while the registry metadata lists no required env vars or primary credential. The credential use appears purpose-aligned and no leakage is shown.
OPENSUBTITLES_API_KEY=your_api_key OPENSUBTITLES_USERNAME=your_username OPENSUBTITLES_PASSWORD=your_password
Declare these environment variables in metadata, use least-privilege API credentials where possible, and store them only in the user's normal secret-management mechanism.
Installation may resolve to newer package versions than the author tested, which can affect reproducibility and supply-chain review.
The skill depends on external Python packages with version ranges rather than pinned versions, and the registry has no install spec. These dependencies are expected for the stated purpose but should be reviewed during installation.
pysubs2>=1.8.0 requests>=2.28.0 python-dotenv>=0.21.0
Provide an install spec or lockfile with reviewed dependency versions, and keep dependency metadata aligned with the registry.