Skillv1.0.0

ClawScan security

Subtitle Generator Jobs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 8:49 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based video subtitle/rendering service that needs a NEMO_TOKEN and file uploads, but the source is unknown and there are a few small inconsistencies you should review before installing.
Guidance: This skill appears to do what it says: talk to the nemovideo API, upload video files, and return rendered MP4s. Before installing, verify the service domain (mega-api-prod.nemovideo.ai) is one you trust, and confirm how the agent will store the anonymous NEMO_TOKEN/session_id (in-memory vs written to ~/.config). Avoid uploading sensitive content until you’ve reviewed the provider’s privacy/security policy. Also ask the skill author (or the registry) to clarify the declared config path and whether tokens will be persisted to disk.

Review Dimensions

Purpose & Capability: okThe name/description (auto-generate and burn-in subtitles) matches the declared primary credential (NEMO_TOKEN) and the API endpoints and actions described in SKILL.md. Requiring a service token and upload endpoints is expected for a cloud render/subtitle pipeline.
Instruction Scope: noteInstructions stay focused on session creation, SSE messaging, uploads, job creation, polling and downloads. They explicitly instruct checking NEMO_TOKEN, creating an anonymous token if absent, and uploading local files or URLs. Note: SKILL.md references a config path (~/.config/nemovideo/) in its frontmatter and instructs keeping session_id for operations; it's not explicit whether tokens/session IDs are persisted to disk or environment, so confirm how the agent stores those values.
Install Mechanism: okNo install spec or external downloads — instruction-only skill has minimal install risk.
Credentials: noteOnly NEMO_TOKEN is required which is proportional to a cloud API integration. Minor inconsistency: the registry metadata lists no required config paths, but the SKILL.md frontmatter declares ~/.config/nemovideo/ in metadata; this suggests optional local config access that wasn't surfaced in the registry and should be clarified.
Persistence & Privilege: okalways is false and the skill does not request elevated or platform-wide privileges. It does ask the agent to maintain an in-session session_id and to generate/store a transient anonymous token if none is present; this is typical for service integrations but verify whether tokens are persisted outside the agent's ephemeral state.