Skillv1.0.0

ClawScan security

Subtitle Download Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 12:22 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions are coherent with a cloud-based subtitle/extract-and-render service: it asks for a NEMO_TOKEN (or creates an anonymous one), uploads videos to nemovideo.ai, and interacts with that API — nothing in the SKILL.md suggests unrelated or excessive access.
Guidance: This skill uploads whatever video you provide to mega-api-prod.nemovideo.ai and requires a NEMO_TOKEN (or will obtain a short-lived anonymous token). That is expected for a cloud subtitle/render service, but be aware: any video you send will leave your machine and be processed by their servers. Before using it with sensitive or private content, check the service's privacy/retention policy and prefer ephemeral anonymous tokens or short-lived credentials rather than a long-lived NEMO_TOKEN. Note the small metadata mismatch: the frontmatter mentions a config path while the registry did not — not a major issue, but worth asking the publisher for clarification if you need guarantees about local config access. If you need subtitles without sending media externally, consider a local tool instead.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: the skill uploads video files and calls nemovideo.ai endpoints to extract subtitles and render exports. Requesting a service token (NEMO_TOKEN) is appropriate for this purpose.
Instruction Scope: noteInstructions direct the agent to upload user video files to the remote nemovideo.ai service, manage a session_id, poll for render status, and use SSE — all expected for a cloud render/subtitle workflow. Note: this necessarily transmits user media to a third party (the skill makes this explicit). The skill also reads its own frontmatter and attempts to detect an install path for attribution headers — reading its own metadata is expected, but 'detect install path' is a minor extra step that only affects header population.
Install Mechanism: okInstruction-only skill with no install spec or downloaded code, so nothing is written to disk during install. Runtime network calls are used instead; that's expected for this cloud service integration.
Credentials: okOnly NEMO_TOKEN is required (primary credential). The SKILL.md also supports generating an anonymous token if none is present — a proportional fallback. Minor inconsistency: the registry metadata listed no required config paths, but the SKILL.md frontmatter mentions a config path (~/.config/nemovideo/); this is a small metadata mismatch but not a large credential overreach.
Persistence & Privilege: okThe skill does not request 'always: true' and does not ask to modify other skills or system-wide settings. It will act at runtime and can be invoked by the agent (normal behavior).