Skillv1.0.0

ClawScan security

Ai Subtitle For Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 12:58 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches its stated purpose (cloud subtitle/rendering) and only needs a single service token, but the instructions contain minor inconsistencies and request behaviors (probing install/config paths and generating/using anonymous tokens) that aren't fully explained and deserve caution.
Guidance: This skill appears to be a straightforward cloud-based subtitle/renderer that needs one service token (NEMO_TOKEN) to operate. Before installing or enabling it, consider: 1) Confirm whether the skill will read ~/.config/nemovideo/ or inspect install paths on your machine — the SKILL.md suggests platform detection and a configPath but the registry metadata didn't list any config paths. 2) Understand the anonymous-token behavior: if you don't provide NEMO_TOKEN the skill will request a short-lived anonymous token from mega-api-prod.nemovideo.ai; this is expected but you should confirm you trust that domain and the service's privacy policy. 3) Avoid uploading highly sensitive videos to the service until you verify its data retention and privacy terms. 4) Ask the skill author to clarify the configPath/install-path checks and to remove any filesystem probing that isn't necessary. If you need higher assurance, request the skill source or an official homepage and a privacy/security statement from the author before enabling autonomous invocation.

Review Dimensions

Purpose & Capability: noteThe name/description (auto-generate and burn-in subtitles via a cloud backend) aligns with the required credential (NEMO_TOKEN) and the API endpoints described. Minor mismatch: top-level description mentions MP4/MOV/AVI/WebM up to 500MB, while the runtime instructions list many more formats (mkv, png, mp3, etc.) — not malicious but inconsistent. Frontmatter metadata also declares a config path (~/.config/nemovideo/) whereas the registry metadata reports no required config paths.
Instruction Scope: concernRuntime instructions explicitly tell the agent to check the environment for NEMO_TOKEN and, if absent, POST to an anonymous-token endpoint to obtain a token. They also instruct deriving and sending attribution headers and detecting the platform by examining install paths (~/.clawhub/, ~/.cursor/skills/) to set X-Skill-Platform. That implies probing filesystem/install locations (or at least inspecting an install path) beyond simply using the declared environment variable. The steps to create and reuse anonymous tokens and the requirement to keep session_id in memory are reasonable for a cloud service, but filesystem probing and the configPath discrepancy are scope-creep signals that should be clarified.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so it won't write binaries to disk or download third-party packages. That minimizes installation risk.
Credentials: noteOnly a single service credential (NEMO_TOKEN) is declared as required and is proportionate for a cloud-rendering subtitle service. However, SKILL.md describes generating an anonymous token if NEMO_TOKEN is absent (by POSTing to the service), and frontmatter mentions a config path (~/.config/nemovideo/). The presence of a configPath in the frontmatter but not in the registry metadata is inconsistent and warrants confirmation whether the skill will read that directory.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and only asks to hold session state (session_id) for the duration of operations. This is typical for a cloud API integration.