Skillv1.0.0

ClawScan security

Video Dubbing Text · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 4:57 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud video text-dubbing) aligns with the API calls and the single required credential (NEMO_TOKEN); nothing in the instructions suggests it is trying to do unrelated actions, though there are small metadata/file-access inconsistencies you should be aware of.
Guidance: This skill appears to do what it says: it will upload videos and use nemovideo.ai APIs to produce dubbed output. Before installing/providing credentials: (1) confirm you trust https://mega-api-prod.nemovideo.ai and review their privacy/TOS because your videos will be uploaded; (2) prefer using the anonymous-token flow for one-off tests rather than supplying a long-lived NEMO_TOKEN; (3) ask the skill author or registry for a homepage/source code link (none is provided) to increase transparency; (4) be aware the skill may read its own SKILL.md frontmatter and detect install paths or a ~/.config/nemovideo/ folder — if that concerns you, run initial tests with non-sensitive videos or without setting NEMO_TOKEN.

Review Dimensions

Purpose & Capability: okThe skill is a cloud-based video dubbing integrator and declares NEMO_TOKEN as its primary credential. All runtime instructions call endpoints on mega-api-prod.nemovideo.ai to create sessions, upload videos, run SSE for edits, and request renders — these are coherent with the stated purpose.
Instruction Scope: noteThe SKILL.md instructs the agent to create sessions, upload files, poll render status, and include attribution headers — all expected. It also instructs the agent to read this file's YAML frontmatter for X-Skill-Source/version and to detect the install path to populate X-Skill-Platform, and references a config path (~/.config/nemovideo/). Reading its own frontmatter is reasonable for attribution; reading the install path or a user config directory is a minor privacy surface to note.
Install Mechanism: okThis is instruction-only with no install spec or code files, so nothing is downloaded or written by an installer. That minimizes installation risk.
Credentials: noteOnly one credential is required (NEMO_TOKEN) and the skill provides an anonymous-token fallback if that env var is absent. That is proportionate. Small inconsistency: registry metadata lists no required config paths, but the SKILL.md frontmatter references a config path (~/.config/nemovideo/) — the reason for that path access is not fully explained.
Persistence & Privilege: okalways:false and no install behavior means the skill does not demand permanent elevated presence. It asks only for runtime token use and occasional filesystem checks for attribution/platform detection; it does not request to modify other skills or global settings.