Skillv1.0.0

ClawScan security

Add Subtitle To Video Extension · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 4:57 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a cloud-based subtitle/video-rendering extension, but there are small metadata inconsistencies and privacy implications you should review before use.
Guidance: This skill will send any video files you give it to a third-party backend (mega-api-prod.nemovideo.ai) for transcription, compositing, and rendering. Confirm you trust that service and understand their privacy/retention policy before uploading sensitive footage. Note the small metadata mismatch: SKILL.md mentions a config path (~/.config/nemovideo/) while the registry summary did not — ask the author whether the skill will store tokens or files locally. If you prefer more control, supply your own NEMO_TOKEN (account) instead of allowing anonymous token creation so you can monitor usage and credits. Finally, verify costs, rate limits, and whether rendered files will be retained on the remote server.

Review Dimensions

Purpose & Capability: okThe skill name/description (add subtitles and render video) align with the declared primary credential (NEMO_TOKEN) and the runtime instructions that call nemovideo.ai APIs. One inconsistency: the registry metadata overview listed no required config paths, but the SKILL.md frontmatter declares a config path (~/.config/nemovideo/). This appears to be a benign metadata mismatch but worth noting.
Instruction Scope: noteRuntime instructions explicitly upload user video files to the remote backend, create sessions, stream SSE, and poll for render outputs — all expected for this service. The skill also instructs detecting an install path (to populate X-Skill-Platform) which implies reading the agent's install location; this is a limited filesystem probe (not broad file exfiltration) but should be considered. The skill will auto-obtain an anonymous token if NEMO_TOKEN is absent and uses it for uploads; users should understand that videos and derived subtitles are sent to the external API.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This is the lowest install risk — nothing is downloaded or written by an installer as part of the skill package itself.
Credentials: okOnly one credential is declared (NEMO_TOKEN) and is the primary credential used to authenticate to the described service. The skill will create an anonymous token if none is present; no unrelated credentials or broad environment access are requested. The declared config path (~/.config/nemovideo/) is plausible for storing service config, but its presence in SKILL.md (and absence in registry summary) is an inconsistency to verify.
Persistence & Privilege: okThe skill is not always-loaded and does not request elevated or permanent platform privileges. It does not instruct modifying other skills or system-wide config. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.