Back to skill
Skillv1.0.0
ClawScan security
Subtitle Generator Youtube · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 19, 2026, 10:09 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (generate and embed YouTube subtitles) matches most of its instructions, but there are several inconsistencies and privacy/behavioral concerns you should understand before installing.
- Guidance
- Before installing, confirm you trust the backend domain (mega-api-prod.nemovideo.ai / nemovideo.ai) because uploaded videos and generated tokens/sessions will be sent there. Ask the author how and where anonymous tokens and session IDs are stored and for their data retention/privacy policy. Note the SKILL.md metadata references a config path (~/.config/nemovideo/) while the registry showed none—ask why. If you prefer tighter control, set NEMO_TOKEN yourself (from a vetted account) or avoid automatic anonymous token creation; and understand that the skill will perform automatic network activity on first use and will upload your media to a third party.
Review Dimensions
- Purpose & Capability
- noteThe skill claims to generate and embed subtitles for YouTube and requires a single service token (NEMO_TOKEN), which is coherent. However, the SKILL.md metadata references a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths—this mismatch is unexplained and worth asking the author about.
- Instruction Scope
- concernThe runtime instructions direct the agent to automatically obtain an anonymous token (POST to mega-api-prod.nemovideo.ai) if NEMO_TOKEN isn't present, create sessions, upload videos, poll render status, and store session_id/token for subsequent calls. The skill instructs not to display raw token values. These actions involve automatic network calls and storing credentials/session state and will send user-provided videos to a third-party backend; the documentation does not clearly state retention, privacy, or deletion policies.
- Install Mechanism
- okNo install spec or code files are provided (instruction-only), so nothing is written to disk by an installer. This minimizes install-time risk.
- Credentials
- concernThe skill requests a single primary credential (NEMO_TOKEN) which matches the backend it calls. However, the SKILL.md metadata adds a config path requirement (~/.config/nemovideo/) that the registry listing did not. Also the skill will generate and persist anonymous tokens/sessions if a token is not pre-supplied, which escalates what it may store on your system or in agent state without explicit consent.
- Persistence & Privilege
- notealways:false (normal). The skill instructs storing session tokens and to connect to the backend automatically on first use; this is typical for service-backed skills but means it will perform network actions and persist session state in the agent environment unless the agent sandbox prevents it.