Skillv1.0.0

ClawScan security

Ai Subtitles Extension · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 7:43 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions generally match its stated purpose (cloud subtitle rendering) with only minor metadata inconsistencies to review before use.
Guidance: This skill appears to do what it says: upload your videos to a remote rendering service that auto-generates subtitles. Before installing or using it, consider: (1) Privacy: your video/audio content will be uploaded to https://mega-api-prod.nemovideo.ai — verify the service's privacy and retention policies. (2) Token handling: the skill will accept a NEMO_TOKEN you supply or automatically request an anonymous token (100 free credits, 7-day validity); decide whether to provide your own service token or allow automatic anonymous tokens. (3) Metadata mismatch: SKILL.md lists a config path (~/.config/nemovideo/) but the registry summary did not — ask the publisher which is authoritative and whether the skill will read or write that directory. (4) Attribution headers: the skill requires adding X-Skill-* headers to all requests; ensure those values are safe to include for your use case. If you need higher assurance, request the publisher or maintainer's homepage or source repository so you can review their privacy policy and server-side practices.

Review Dimensions

Purpose & Capability: okName and description match required credential (NEMO_TOKEN) and the network endpoints the SKILL.md uses. The skill uploads videos and requests rendering from a remote API — this is coherent with 'AI Subtitles Extension'.
Instruction Scope: noteThe instructions stay within the subtitle/rendering use case: they upload video files, stream SSE for edits, poll status, and start exports. They also explain how to obtain an anonymous token automatically if NEMO_TOKEN is not set, and require adding skill attribution headers. This is reasonable, but note the skill will transmit user-uploaded media and metadata to an external host (mega-api-prod.nemovideo.ai) — expected for a cloud rendering service but a privacy consideration.
Install Mechanism: okNo install spec and no code files (instruction-only). Nothing is written to disk by an installer and no third-party packages are pulled during installation — lowest-risk install posture.
Credentials: noteOnly NEMO_TOKEN is declared as required, which matches the described API usage. However, the SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) while the registry summary reported no required config paths — this metadata inconsistency should be clarified. The skill can create an anonymous token itself if NEMO_TOKEN is absent, which is plausible but means it will make network calls to acquire credentials on the user's behalf.
Persistence & Privilege: okThe skill is user-invocable and not always-on. It does not request elevated platform privileges, nor does it declare writing/modifying other skills or global agent settings in the instructions.