Back to skill
Skillv1.0.0
ClawScan security
Remove Subtitles from Video Online Free – API-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 5:07 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are consistent with an API-based subtitle-removal tool; it only asks for the service API key and has no installable code, though the SKILL.md contains small documentation inconsistencies you should verify before use.
- Guidance
- This appears to be a coherent API-only integration for WeShop's subtitle-removal service. Before installing or using it: (1) confirm the correct input format (video URL field vs. the example's image field) and whether videos must be uploaded to an assets endpoint; (2) verify how the service handles video uploads, retention, and privacy for any sensitive content; (3) only provide an API key obtained from https://open.weshop.ai and ensure it is used only with openapi.weshop.ai as the skill instructs; (4) consider testing with non-sensitive videos first and use an API key with minimal permissions or an ephemeral key if possible; (5) if you need stronger assurance, ask the skill author to fix the SKILL.md inconsistencies before use.
Review Dimensions
- Purpose & Capability
- okName/description match the declared use of the WeShop OpenAPI for removing subtitles from videos. The single required environment variable (WESHOP_API_KEY) is the expected credential for an external API service and there are no unrelated binaries or config paths requested.
- Instruction Scope
- noteRuntime instructions limit network access to openapi.weshop.ai and explicitly advise keeping the API key scoped to that domain. However, the SKILL.md shows minor inconsistencies: it documents an images upload endpoint and an example payload using "originalImage", while the input fields declare "input.videos" and "videos" params (up to 1). These are documentation mismatches that should be clarified (do videos need to be uploaded via a separate assets endpoint, or is a video URL sufficient?). Otherwise the instructions do not request unrelated files or secrets.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself. This is the lowest-risk install profile.
- Credentials
- okOnly a single API key (WESHOP_API_KEY) is required and is proportional to a cloud API integration. The SKILL.md explicitly warns not to leak the key to other domains. No other secrets or unrelated environment variables are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistence or write access to other skills or system configuration. Autonomous invocation is permitted (platform default) but does not combine here with broad privileges or extra credentials.