Back to skill
Skillv1.0.0
ClawScan security
Video To Subtitle · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 5:39 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are consistent with a cloud video-subtitling service: it needs a service token (NEMO_TOKEN) and uploads user videos to the vendor API; nothing else in the skill suggests unrelated credential access or hidden install behavior.
- Guidance
- This skill will upload your videos and audio to mega-api-prod.nemovideo.ai and use a service token (NEMO_TOKEN). Before installing or using it: 1) Confirm you trust the domain/vendor and review their privacy/retention policy (sensitive videos will leave your machine). 2) If you prefer, provide your own NEMO_TOKEN rather than letting the skill auto-create an anonymous token. 3) Test with non-sensitive sample videos first to confirm behavior. 4) Note the minor metadata mismatch (a config path is mentioned in the SKILL.md frontmatter but not in registry metadata) — ask the publisher to clarify whether anything will be written to ~/.config/nemovideo/. If you need stricter guarantees about where files go or token creation, request more details from the skill author before enabling.
Review Dimensions
- Purpose & Capability
- okThe skill claims to generate and burn subtitles via a remote rendering service and its instructions only call that service API. Requesting a single service token (NEMO_TOKEN) is appropriate for that purpose. The skill also documents endpoints for upload, SSE, render, credits, and state — all consistent with a cloud render/subtitling workflow.
- Instruction Scope
- noteRuntime instructions include uploading user video/audio files to https://mega-api-prod.nemovideo.ai and streaming edits via SSE, which is expected for this capability. The skill will auto-obtain an anonymous token if NEMO_TOKEN is not present (POST to /api/auth/anonymous-token) and instructs the agent to store a session_id for subsequent calls. It also requires certain attribution headers (including a platform detection step based on install-path patterns). These behaviors stay within the stated purpose but you should be aware that user content is sent to a third-party endpoint and that the agent will create/use credentials automatically.
- Install Mechanism
- okNo install spec or code files are present (instruction-only). This minimizes on-disk installation risk. Because there is no downloadable code, the skill's runtime surface is the API calls described in SKILL.md.
- Credentials
- noteThe skill declares a single primary credential (NEMO_TOKEN), which matches the service-oriented purpose. However, SKILL.md describes an auto-provisioning flow that will create and use an anonymous token when NEMO_TOKEN is absent, which effectively grants the agent the ability to obtain and use service credentials at runtime. Also note a minor metadata inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata included with the skill reported no required config paths.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated platform privileges. It stores a session_id for the duration of work (normal for session-based APIs). The frontmatter's mention of a config path suggests the service may use a local config directory, but there is no explicit instruction to write persistent secrets to disk beyond normal session handling.