Skillv1.0.0

ClawScan security

Subtitle Translate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 17, 2026, 6:04 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared requirements and the runtime instructions don't fully match (notably around NEMO_TOKEN and a config path), and you should confirm provenance and privacy before uploading videos or providing credentials.
Guidance: This skill appears to implement a cloud subtitle-translation/render flow, but there are inconsistencies you should resolve before installing or providing credentials. Questions to ask the publisher: (1) Why does the registry mark NEMO_TOKEN as required when SKILL.md documents an anonymous-token fallback? (2) Why does the SKILL.md frontmatter require ~/.config/nemovideo/ while the registry shows no config paths? (3) Who operates mega-api-prod.nemovideo.ai and what is the privacy/retention policy for uploaded videos and generated subtitles? Until you verify those, avoid putting sensitive or private videos through this service and do not set a persistent NEMO_TOKEN in your environment unless you trust the operator. If you want a cleaner signal, share the full SKILL.md (untruncated) and any publisher contact or homepage so provenance can be checked.

Review Dimensions

Purpose & Capability: noteThe described purpose (cloud subtitle translation and rendering) matches the API endpoints and flow in SKILL.md. Requesting a service token (NEMO_TOKEN) is reasonable for this purpose. However, the manifest/registry metadata provided to you lists no required config paths while the SKILL.md frontmatter explicitly requires ~/.config/nemovideo/, and the SKILL.md describes an ability to operate without NEMO_TOKEN (via anonymous token), so the declared requirements are inconsistent with the runtime instructions.
Instruction Scope: noteInstructions are focused on connecting to a single backend (mega-api-prod.nemovideo.ai), creating sessions, uploading media, streaming SSE, checking credits, and starting exports — all expected for a cloud render/translate service. They do require generating a UUID and making POST/GET calls, and they instruct adding custom attribution headers and auto-detecting an install path for X-Skill-Platform. The instructions do not ask the agent to read arbitrary local files or unrelated credentials, but the header auto-detection could require inspecting agent install paths.
Install Mechanism: okNo install spec and no code files — the skill is instruction-only, so nothing is written to disk by an installer. This is the lowest-risk install model.
Credentials: concernThe registry lists NEMO_TOKEN as a required/primary env var, but SKILL.md explicitly documents an anonymous-token fallback path (it will POST to acquire a short-lived anonymous token if NEMO_TOKEN is missing). That makes the 'required' designation misleading. SKILL.md also mentions a config path (~/.config/nemovideo/) in its frontmatter, which is not reflected in the registry metadata you were shown. Requesting a single service token is reasonable, but the mismatch between declared and actual requirements is a red flag worth clarifying.
Persistence & Privilege: okalways:false and no instructions to modify other skills or system-wide settings. The skill uses short-lived session tokens and job IDs for render tasks; this is normal for a cloud rendering workflow and does not request elevated agent privileges.