Skillv1.0.0

ClawScan security

Add Subtitle To Video Vlc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 1:53 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (embedding subtitles via a cloud backend) matches its runtime instructions and environment needs, but it will upload your videos to an external service and there is a small metadata inconsistency you should be aware of.
Guidance: This skill will upload your video files to a third-party cloud service (mega-api-prod.nemovideo.ai) for processing. It needs a NEMO_TOKEN (or will request an anonymous token on your behalf) and will send Authorization and several attribution headers with each request. Before installing or using it: (1) confirm you’re comfortable uploading the specific videos you plan to process (do not upload sensitive/private content without checking the service's privacy/retention policies), (2) verify the service/domain and look for a homepage/privacy policy or terms (none were provided in the registry metadata), (3) be aware anonymous tokens expire (7 days) and the skill may obtain them automatically, and (4) note the SKILL.md frontmatter references a config path (~/.config/nemovideo/) not listed in the registry metadata — consider asking the publisher why that discrepancy exists. If you need to protect sensitive content, do not use this skill until you can verify the backend and its policies.

Review Dimensions

Purpose & Capability: okThe skill claims to add/encode subtitles into videos via a cloud rendering pipeline. The SKILL.md describes API endpoints for upload, render, and export and requires a NEMO_TOKEN; these requirements are coherent with the stated purpose.
Instruction Scope: okAll instructions are focused on creating a session, uploading media, driving SSE or REST edit/export flows, and returning download URLs. The runtime steps involve obtaining/using a NEMO_TOKEN (or requesting an anonymous token), uploading video files (up to 500MB), polling render status, and returning results — all within the stated scope. The skill does not instruct reading unrelated system files or unrelated credentials.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer. That is the lowest-risk installation approach and is proportionate for an API-driven skill.
Credentials: noteThe only required environment credential is NEMO_TOKEN (declared as primaryEnv and used for Authorization). The SKILL.md also describes obtaining an anonymous token if none is present, which is consistent with operation without a user-supplied token. However, the SKILL.md frontmatter includes a config path (~/.config/nemovideo/) that registry metadata did not list earlier — this metadata mismatch is noteworthy but not by itself dangerous.
Persistence & Privilege: okThe skill does not request always:true and does not ask to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default), which combined with cloud uploads increases the need for user awareness but is not in itself suspicious.