Skillv1.0.0

ClawScan security

Video Subtitle Generator Free Extension · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 3:10 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a cloud-based video subtitle/rendering service, but it will upload your video files and can automatically acquire a short-lived anonymous token if no NEMO_TOKEN is present — review privacy and the small metadata mismatch before use.
Guidance: This skill appears to do what it says (upload your video to a cloud API and return a captioned render), but it will send your video files to mega-api-prod.nemovideo.ai and may automatically obtain a short-lived anonymous token if you don't provide NEMO_TOKEN. Before installing or using: 1) Do not upload sensitive or private videos unless you trust the service and have reviewed its privacy/retention policy. 2) Verify who controls nemovideo.ai (ownership, privacy/terms) and whether you want your content handled by that provider. 3) If you supply a persistent NEMO_TOKEN, ensure it is scoped/limited; otherwise the skill will request an anonymous token automatically. 4) Note the metadata mismatch (frontmatter references ~/.config/nemovideo/) — ask the publisher whether the skill will read local config files. 5) If you require local-only processing for privacy, use a local subtitle tool instead. If you want me to, I can list follow-up questions to ask the publisher or suggest safer local alternatives.

Review Dimensions

Purpose & Capability: okThe name/description (auto-generate and embed captions) align with the documented API endpoints (upload, render, SSE, credits). Requesting a single service token (NEMO_TOKEN) is appropriate. Minor inconsistency: the SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths.
Instruction Scope: noteInstructions stay within the stated purpose (create sessions, upload videos, submit render jobs, poll for URLs). They explicitly instruct the agent to upload user video files to the remote backend and to automatically POST to an anonymous-token endpoint to fetch a NEMO_TOKEN if none is present — this causes network calls and creation/consumption of provider credits without a pre-existing token. The agent is told not to display raw tokens, but uploading potentially sensitive videos to an external service is inherent to the skill.
Install Mechanism: okInstruction-only skill with no install spec or code files; nothing is written to disk by an install process. This is lower risk from an installation perspective.
Credentials: noteThe skill requires only one credential (NEMO_TOKEN) as primaryEnv, which matches the cloud API usage. The ability to fetch an anonymous token if NEMO_TOKEN is absent is documented in SKILL.md. The frontmatter's config path requirement is not reflected in the registry metadata — clarify whether the skill will read ~/.config/nemovideo/ before installing.
Persistence & Privilege: okThe skill is not marked always:true and is user-invocable; it relies on transient session IDs and bearer tokens. It does not request elevated platform presence or modify other skills' configuration based on the provided instructions.