Skillv1.0.0

ClawScan security

Ai Subtitle Generator Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 4:55 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill’s claimed purpose (remote subtitle/rendering) matches most of its instructions and the single requested credential (NEMO_TOKEN), but there are small inconsistencies and some behaviors you should explicitly understand before installing (file uploads to a third‑party service, metadata disagreement about config paths, and implicit filesystem probing to determine install path).
Guidance: Before installing, understand this will upload your videos (and likely metadata) to mega-api-prod.nemovideo.ai for server-side processing — if your content is sensitive, do not proceed without checking the service's privacy/security terms. Confirm whether you trust the Nemo service and whether you prefer to use an anonymous, short‑lived token (the skill documents how to obtain one). Ask the publisher to resolve the metadata inconsistency about config paths (SKILL.md frontmatter lists ~/.config/nemovideo/ but registry data lists none) and to explain why the agent must detect the install path (that may require reading your home directory). If you want higher assurance, request a hosted homepage, source repository, or code samples so you can verify exactly what data is sent and how tokens are stored/used.

Review Dimensions

Purpose & Capability: noteThe skill advertises server-side subtitle generation and the SKILL.md shows APIs to upload videos, create sessions, and request renders — this aligns with the stated purpose. The required credential (NEMO_TOKEN) is appropriate for access to the described API. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata earlier reported no required config paths — an internal inconsistency worth clarifying.
Instruction Scope: noteRuntime instructions explicitly direct the agent to upload user video files and to POST/GET to mega-api-prod.nemovideo.ai endpoints (session creation, upload, SSE chat, render polling). That is expected for this function, but it does mean user media and derived metadata are transmitted off‑device to a third‑party service. The SKILL.md also prescribes deriving an X-Skill-Platform header by inspecting install paths (e.g., ~/.clawhub/ or ~/.cursor/skills/) — that implies the agent might read the filesystem to detect install location, which is not strictly necessary to provide core functionality and should be explained/justified.
Install Mechanism: okInstruction-only skill with no install spec or code files — lowest install risk. No downloads or extracted archives are specified.
Credentials: noteOnly NEMO_TOKEN is declared as required (primary credential), which matches the described API usage. The frontmatter also references a config path (~/.config/nemovideo/) that would grant access to local config if the agent reads it — the top-level registry summary listed no required config paths, so that discrepancy should be resolved. The skill advises generating an anonymous token if none is present (reasonable), and it instructs not to print tokens.
Persistence & Privilege: okNo always:true, no install-time persistence requested, and the skill does not claim to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not a separate concern here.