Skillv1.0.0

ClawScan security

Best Bilibili Ai Subtitle · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 5:53 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud-based subtitle/render service: it needs a NEMO_TOKEN (or can obtain an anonymous token), uploads user videos to a remote API, and streams job state; nothing requested appears disproportionate to that purpose.
Guidance: This skill appears to do what it says: it will upload your video files to mega-api-prod.nemovideo.ai and use NEMO_TOKEN (or obtain a short-lived anonymous token) to create sessions and render subtitled videos. Before installing or using it, consider: (1) privacy: your videos will be sent to an external service — avoid uploading sensitive content unless you trust the provider and understand retention/processing policies; (2) token scope: only provide a NEMO_TOKEN you control and can revoke; prefer a limited-scope token if available; (3) attribution headers: the skill will include X-Skill-* and platform-identifying information in requests (this can reveal the agent environment); (4) metadata mismatch: clarify why the SKILL.md lists a config path (~/.config/nemovideo/) while the registry metadata lists none — reading a config directory is more invasive and you should confirm whether the skill will actually read files there and what it will do with them; (5) anonymous token flow: the skill can obtain a free anonymous token on your behalf — if you prefer, supply your own token instead. If any of these points worry you, request the skill author to document data retention, the exact use of any config paths, and the token scope before proceeding.

Review Dimensions

Purpose & Capability: okThe name/description (auto-generate subtitles for Bilibili videos) match the runtime instructions which call a nemo-video backend (mega-api-prod.nemovideo.ai). Requesting a service token (NEMO_TOKEN) and accepting uploads is expected for a remote rendering/subtitling service. One minor inconsistency: the registry metadata at the top lists no required config paths, while the SKILL.md frontmatter lists a configPaths entry (~/.config/nemovideo/). This looks like a metadata mismatch but does not contradict the stated purpose.
Instruction Scope: noteSKILL.md instructs the agent to: use NEMO_TOKEN if present or request an anonymous token from the service; create a session; upload user video files (multipart) to the API; stream SSE events and poll state; and include attribution headers. These actions are expected for this service. The skill also instructs reading its own frontmatter and detecting install path to populate X-Skill-Platform — this requires the agent to read its own file path/environment and will expose platform attribution in requests. The instructions do not ask the agent to read unrelated system files or other environment variables.
Install Mechanism: okNo install spec or code files are present; this is instruction-only. That is the lowest-risk install model (nothing is downloaded or written by the skill).
Credentials: noteThe skill only requires one credential: NEMO_TOKEN (declared as primary), which is proportional for a remote API service. The SKILL.md also references a config path (~/.config/nemovideo/) in its metadata — the registry listing showed none; this discrepancy should be clarified because reading a user config directory is more invasive than a single token and may expose additional data if used. No other unrelated secrets are requested.
Persistence & Privilege: okThe skill is not marked always:true and has no install-time persistence actions. It does not request to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other high-privilege flags.