Skillv1.0.0

ClawScan security

Tiktok Ai Subtitle Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 11, 2026, 5:01 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly match a cloud subtitle-rendering service (it needs a single service token and uploads videos), but there are small inconsistencies and privacy risks (unknown backend, a declared config path in the SKILL.md that doesn't match registry metadata, and instructions to derive headers from local install paths) that warrant caution before installing or providing a token.
Guidance: This skill appears to do what it claims (upload your videos to a Nemovideo-like rendering API and return a captioned MP4), but exercise caution before installing or supplying credentials: 1) The backend host (mega-api-prod.nemovideo.ai) and the skill publisher are unknown—verify the service manually if possible. 2) Prefer the anonymous-token flow instead of pasting a long-lived NEMO_TOKEN; anonymous tokens are short-lived and less sensitive. 3) Expect your video files and session metadata to be uploaded to a third-party server and possibly stored under ~/.config/nemovideo/ — don’t use it for sensitive content unless you trust the service. 4) Ask the publisher to clarify the registry metadata/config-path mismatch and why the skill needs to derive X-Skill-Platform from local install paths (this reveals some local layout). 5) If you decide to proceed, monitor the token usage and revoke it after testing.

Review Dimensions

Purpose & Capability: noteThe name/description (TikTok subtitle generator) aligns with the declared requirement for a single service token (NEMO_TOKEN) and the outlined API calls to a Nemovideo render backend. However, registry metadata reported no required config paths while the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) — an inconsistency that should be explained by the publisher.
Instruction Scope: noteSKILL.md gives concrete runtime instructions: generate or use NEMO_TOKEN, create a session, upload video files, use SSE endpoints, poll render status, and download results. These are within the expected scope. Areas to note: it instructs deriving X-Skill-Platform from local install paths and includes a config path where tokens/sessions may be saved — this requires reading/writing the user's home config area and will reveal some local environment details.
Install Mechanism: okThis is instruction-only (no install spec, no code files), so nothing is written to disk by an installer. The main runtime action is network communication with a third-party API (mega-api-prod.nemovideo.ai). No remote downloads or archive extraction are indicated.
Credentials: noteOnly NEMO_TOKEN is declared as required (primary credential), which is proportionate for a cloud rendering service. Caveats: SKILL.md describes an anonymous-token flow (creating a token via the service) which is reasonable, but the config path (~/.config/nemovideo/) implies tokens/sessions may be persisted to disk. The skill does not request unrelated credentials, which is good.
Persistence & Privilege: okThe skill is not always-enabled and allows normal autonomous invocation. It will persist session_id/token data (per instructions) and may read/write its own config path, which is expected. It does not request system-wide or other-skills' configuration changes.