Skillv1.0.0

ClawScan security

Media Caption Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 17, 2026, 11:26 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill’s requirements and runtime instructions are largely consistent with a cloud-based video captioning service, but there are a few small metadata mismatches and privacy considerations you should understand before use.
Guidance: This skill appears to legitimately implement a cloud captioning workflow, but it will upload your full videos to https://mega-api-prod.nemovideo.ai and will use a NEMO_TOKEN (or fetch an anonymous token) for all requests. Before installing or using it, consider: 1) Do you trust that external domain with the content in your videos? 2) If you don’t supply a NEMO_TOKEN, the skill will request an anonymous token automatically — ask about data retention and what '100 free credits' entail. 3) Clarify the frontmatter reference to ~/.config/nemovideo/ (will the skill read local config files?). 4) Confirm how tokens and API responses are logged or stored by your agent runtime to avoid accidental token leakage. If any of these are concerning, either avoid using the skill or request the developer’s privacy/retention policy and an explicit statement about local config access before proceeding.

Review Dimensions

Purpose & Capability: noteThe skill is described as a cloud media-captioning service and it only requests a single service credential (NEMO_TOKEN) and instructs uploading videos to an external API — this aligns with the stated purpose. Minor inconsistency: the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) that the registry metadata did not declare; it's unclear whether the agent will read that local config directory.
Instruction Scope: noteRuntime instructions explicitly tell the agent to upload user video files and to POST/GET to https://mega-api-prod.nemovideo.ai endpoints, create sessions, use SSE, and poll render status. These actions are appropriate for a cloud render/captioning service, but they do transmit full media and session tokens to an external endpoint — a privacy and data-exfiltration consideration. Instructions also require generating/including attribution headers and auto-acquiring an anonymous token if NEMO_TOKEN is absent. The instructions say 'Don't expose tokens or raw API output', but an instruction-only skill cannot enforce logging behavior of the runtime, so token leakage risk depends on the host agent implementation.
Install Mechanism: okInstruction-only skill with no install spec and no bundled code — nothing is downloaded or written by an install step. This is the lowest-risk install posture.
Credentials: noteOnly NEMO_TOKEN is declared as required (primary credential), which is proportionate for a cloud service. The SKILL.md frontmatter also references a config path (~/.config/nemovideo/) which was not declared in the registry metadata — this mismatch should be clarified. The skill will also generate and send a client UUID and may obtain an anonymous token from the service if NEMO_TOKEN is not present.
Persistence & Privilege: okThe skill does not request 'always: true' or other elevated persistence. It uses short-lived session tokens and session_id in-memory for job management. No instructions to modify other skills or system-wide agent settings are present.