Skillv1.0.0

ClawScan security

Caption Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 27, 2026, 5:39 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based video captioning service: it asks for one API token and describes only network calls to that service, with no unrelated dependencies or installs.
Guidance: This skill appears to do what it says: it uploads videos to an external service (mega-api-prod.nemovideo.ai) to generate captions and return downloadable renderings. Before installing, consider: 1) privacy — any video you upload will be sent to that external API, so avoid uploading sensitive content unless you trust the provider; 2) tokens — the skill can generate and store an anonymous NEMO_TOKEN for you (valid 7 days); understand and control where tokens are stored; 3) provenance — there is no homepage or repository listed, so you cannot inspect the backend or privacy policy; if this matters, ask the publisher for documentation or avoid using the skill; 4) the skill may infer install paths to set a header (minor), which could require the agent to read local paths — if you want stricter limits, restrict filesystem access or require explicit consent before uploads. If you want higher assurance, request the skill publisher provide a homepage, privacy policy, or source code to review.

Review Dimensions

Purpose & Capability: okName/description (caption generation, remote rendering) align with the skill's declared requirement (NEMO_TOKEN) and the SKILL.md API calls to nemovideo.ai. No unrelated credentials or binaries are requested.
Instruction Scope: noteInstructions call for creating/using an anonymous NEMO_TOKEN, creating sessions, uploading video files (local path multipart or URL), and polling render status — all consistent with the stated purpose. Note: SKILL.md also describes deriving an X-Skill-Platform header by detecting install paths, which implies reading or inferring local paths; this is a minor scope creep but not clearly unnecessary for the service.
Install Mechanism: okInstruction-only skill with no install spec or code to download. Lowest install risk: nothing is written to disk by an installer in the repository itself.
Credentials: noteOnly NEMO_TOKEN is required as the primary credential — proportionate for a remote API. Minor inconsistency: registry metadata listed no required config paths, but SKILL.md metadata includes a config path (~/.config/nemovideo/). The skill also instructs generating and storing an anonymous token if none is present (reasonable for convenience, but the agent will write/retain credentials).
Persistence & Privilege: okalways is false and the skill does not request system-wide privileges or to modify other skills. Autonomous invocation is enabled (default) but not combined with broad credential access or 'always' presence.