Skillv1.0.0

ClawScan security

Subtitle Translator Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 4:57 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud subtitle translation and embedding) matches its runtime instructions and required credential (NEMO_TOKEN); it is an instruction-only integration that uploads user videos to nemovideo.ai and does not request unrelated system access.
Guidance: This skill will upload any video files you provide to an external service (mega-api-prod.nemovideo.ai) and will use NEMO_TOKEN if set or obtain a short-lived anonymous token. Before installing or using it: (1) confirm you trust nemovideo.ai (privacy, retention, and sharing of uploaded videos); (2) avoid uploading sensitive or private content unless you have reviewed the service policy; (3) if you must set a permanent NEMO_TOKEN, consider using a scoped or revocable token and revoke it after use; (4) note the skill may persist a session_id for job tracking — if you see unexpected behavior, revoke credentials and clear any nemovideo config; (5) if you want stricter control, do not set NEMO_TOKEN and instead allow the skill to use the anonymous token flow or use a disposable token.

Review Dimensions

Purpose & Capability: okThe skill claims to call a remote video-processing API and the only required credential is NEMO_TOKEN, which aligns with that purpose. No unrelated binaries or extraneous service credentials are requested. The metadata's configPaths (~/.config/nemovideo/) is consistent with a CLI client config location for the same service.
Instruction Scope: noteThe SKILL.md instructs the agent to create/use an auth token (NEMO_TOKEN) and to upload user-supplied video files and session data to https://mega-api-prod.nemovideo.ai via the described endpoints. That behavior is expected for a cloud render/subtitle service, but it means user videos and session metadata will be transmitted to an external provider. The instructions do not ask the agent to read unrelated local files or extraneous environment variables.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — nothing is downloaded or written to disk by the skill itself. That is the lowest-risk install model.
Credentials: noteOnly one environment variable is required: NEMO_TOKEN (declared as primaryEnv). That is proportional to a remote API integration. Metadata also lists a config path (~/.config/nemovideo/) which may indicate a local place to persist session info or tokens; the SKILL.md does not instruct reading arbitrary local system files beyond typical token handling.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated platform privileges. It instructs creating and saving a session_id for use with the API (expected for long-running jobs) but does not ask to modify other skills or global agent settings.