Skillv1.0.0

ClawScan security

Subtitle Generator Japanese To English · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 7:12 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared requirements and runtime instructions are coherent with a cloud-based Japanese→English subtitle service; it only needs a single service token and uploads videos to the described backend.
Guidance: This skill uploads your video files to a third‑party cloud service (mega-api-prod.nemovideo.ai) and will use a NEMO_TOKEN (or create a 7‑day anonymous token) to process and return rendered videos. Before installing: (1) verify you are comfortable uploading the video content to an external service and review any privacy/retention policies on that domain, (2) consider providing your own NEMO_TOKEN rather than relying on anonymous tokens, (3) be aware the agent may read or write to ~/.config/nemovideo/ to persist tokens or settings, and (4) confirm the external service (nemovideo) is reputable if you will process sensitive material.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions and required credential (NEMO_TOKEN). The skill's API calls, upload, session, and export flows all relate to generating and exporting subtitled videos, which is consistent with the stated purpose.
Instruction Scope: noteThe SKILL.md tells the agent to upload user video files and call a remote API (mega-api-prod.nemovideo.ai) for processing and exports — this is expected for a cloud subtitle renderer. It also instructs the agent to create an anonymous token automatically if NEMO_TOKEN is absent and to detect an install path to set attribution headers; detecting install path implies filesystem probing which is not strictly required for core subtitle functionality and is only for attribution/telemetry.
Install Mechanism: okInstruction-only skill with no install spec or external downloads. Nothing is written to disk by an installer step; runtime network calls are handled via the described API endpoints.
Credentials: okOnly one required environment variable is declared (NEMO_TOKEN) and is directly used for Bearer auth to the service. The metadata lists a config path (~/.config/nemovideo/) that aligns with persisting service tokens/config; no unrelated credentials are requested.
Persistence & Privilege: okalways is false and autonomous invocation is allowed by default. The skill does not request elevated or system-wide permissions, nor does it attempt to modify other skills. It may persist a token or use the config path for credentials, which is reasonable for a service client.