Skillv1.0.0

ClawScan security

Subtitle Generator Free Online · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 21, 2026, 7:07 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared requirements and runtime instructions are consistent with a cloud-based subtitle service, but it will upload your video files and manage short‑lived tokens on an external endpoint and the package lacks a public source/homepage so you should review privacy/trust before use.
Guidance: This skill behaves like a typical cloud subtitle service: your videos will be uploaded to an external API (mega-api-prod.nemovideo.ai) and short‑lived tokens/session IDs will be created and stored. Before installing or using it, consider: (1) Do not upload sensitive or private video content unless you trust the service and its privacy terms; (2) there is no public homepage or source listed — lack of provenance reduces confidence; (3) tokens and session state will be stored locally (the frontmatter references ~/.config/nemovideo/) — verify where and how these are stored and cleaned up; (4) anonymous tokens grant free credits but are valid only 7 days and the skill will auto‑obtain them if NEMO_TOKEN is absent. If you need stronger assurance, ask the publisher for source code or a privacy policy and/or avoid sending sensitive media to this skill.

Purpose & Capability: okThe skill is a cloud subtitle/video export tool and only requests a service token (NEMO_TOKEN) and a config path used to store session/token state — these are coherent with contacting the nemo video API and uploading media for processing.
Instruction Scope: noteSKILL.md directs the agent to upload user videos to https://mega-api-prod.nemovideo.ai, create/refresh anonymous tokens, open/poll session state via SSE, and store session_id. These actions are expected for a cloud render/subtitle workflow, but they involve sending user media off‑device and persisting tokens/session IDs; the doc does not specify secure storage location or retention policy.
Install Mechanism: okInstruction-only skill with no install steps or external downloads — lowest install risk.
Credentials: okOnly a single credential (NEMO_TOKEN) is required. The skill also documents how to obtain an anonymous token if none is present, which matches the described API usage. No unrelated credentials are requested.
Persistence & Privilege: okalways:false and normal autonomous invocation defaults. The skill asks to store session_id and tokens for operation but does not request elevated system-wide privileges or modifications to other skills.