Skillv1.0.0

ClawScan security

Youtube Video Subtitle Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 5:43 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with a cloud video subtitle/rendering service and the single required credential (NEMO_TOKEN) matches the described purpose, with only minor inconsistencies to check before installing.
Guidance: This skill appears to do what it says: it needs a NEMO_TOKEN to call the nemovideo.ai APIs to upload, render, and download captioned videos. Before installing or providing a token: 1) Confirm you trust the service domain (https://mega-api-prod.nemovideo.ai) and that NEMO_TOKEN is scoped only to this video-rendering service — anyone holding that token can act as you against the API. 2) Ask the publisher whether the skill will read or write the local config path (~/.config/nemovideo/) or probe the install path (the SKILL.md mentions this but the registry metadata is inconsistent). 3) If you don’t want to supply a permanent token, the skill can fetch a time-limited anonymous token per the instructions, but that gives the skill temporary service access. 4) Because this is instruction-only with no install, risk is mainly what you choose to upload and what token you provide — avoid giving high-privilege or unrelated credentials. If you need higher assurance, request the actual code or an official homepage for independent review.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: the SKILL.md describes uploading video files, creating a session, running renders, polling for results, and returning download URLs. The single required env var (NEMO_TOKEN) is the service token needed to call the stated API endpoints — this is proportionate to the described capability.
Instruction Scope: noteInstructions are limited to connecting to the stated backend, uploading user-supplied files, running render jobs, polling state, and returning results. They do not instruct reading arbitrary system files or unrelated credentials. One ambiguity: frontmatter/metadata references a config path (~/.config/nemovideo/) and asks to auto-detect 'install path' for X-Skill-Platform header — these imply filesystem queries that are not otherwise declared, so confirm whether the skill will access that path.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing is downloaded or written to disk by an installer. That lowers install-time risk.
Credentials: okOnly one credential is required (NEMO_TOKEN), which the SKILL.md uses directly. The instructions also document obtaining an anonymous token from the service if NEMO_TOKEN is absent — that behavior is consistent with needing service access. No unrelated secrets or multi-service credentials are requested.
Persistence & Privilege: okalways is false and the skill does not request elevated platform privileges. The SKILL.md describes creating a session on the backend but does not instruct modifying other skills or system-wide settings. The only potential persistence hint is an optional config path in the frontmatter (see instruction_scope note).