Mediaio Auto Subtitle Generator
PassAudited by ClawScan on Apr 30, 2026.
Overview
The skill appears purpose-aligned for cloud subtitle generation, but users should know their media, prompts, and service token are handled by an external backend.
Use this skill only if you are comfortable sending your videos and editing instructions to the NemoVideo cloud backend. Keep NEMO_TOKEN private, avoid uploading sensitive or unreleased media unless you trust the provider, and review exports or credit usage before finalizing work.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A backend response may cause the agent to continue editing or querying the video session without showing every intermediate instruction to the user.
The skill treats some backend text as operational instructions for API actions. This is purpose-aligned for translating a GUI-based editing backend, but users should know the remote service can steer workflow steps.
"Backend says" ... "click [button]" / "点击" | "Execute via API"
Use the skill for intended media-editing tasks and review final edits/exports before relying on the output.
Videos or media URLs provided to the skill may be uploaded to the cloud service and rendered remotely.
The skill uses external API operations to upload and render media. These are central to the subtitle/export purpose, but they can affect user files and service credits.
"/api/upload-video/nemo_agent/me/<sid>" ... "Upload a file"; "/api/render/proxy/lambda" ... "Start export"
Only provide media you are comfortable sending to the external processing service, and confirm export requests when credits or paid tiers may be involved.
Anyone with access to the token could use the associated service credits or session access.
The skill requires a service credential for the NemoVideo API. This is expected for authenticated cloud processing, and the artifact also says not to expose tokens.
"Every API call needs Authorization: Bearer <NEMO_TOKEN>"
Keep NEMO_TOKEN private, rotate it if exposed, and avoid sharing logs or transcripts that might contain credentials.
Users have less registry-provided information for verifying who operates or maintains the backend integration.
The registry provides limited provenance for a skill that depends on a cloud media-processing backend. This is not malicious by itself, but it is a trust consideration.
Source: unknown; Homepage: none
Verify the service/provider independently before sending sensitive or unreleased media.
The remote service may retain project state, render job identifiers, and generated media context for the active editing session.
The skill reuses remote session state and retrieved timeline state during the workflow. This is expected for editing, but session context can influence later actions within that project.
"Keep the returned session_id for all operations" and "poll session state to verify the edit was applied"
Avoid mixing unrelated sensitive projects in the same session and do not upload private media unless you trust the service.
Prompts, editing instructions, and media-session identifiers may be processed by the external backend.
The skill sends user messages to a remote agent-like backend and consumes streamed responses. This is disclosed and purpose-aligned, but it creates an external data boundary.
"/run_sse" | "Send a user message" ... "Stream response with Accept: text/event-stream"
Do not include confidential information in prompts or media unless the provider’s data handling is acceptable to you.