Skillv1.0.0

ClawScan security

Youtube Subtitle Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 6:47 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (adding subtitles) matches its runtime instructions, but there are metadata inconsistencies and runtime behaviors that warrant caution — in particular automatic token creation and reading of local install/config paths plus uploading user videos to an external service.
Guidance: This skill appears to do what it claims (upload your videos to a cloud service, generate subtitles, return rendered MP4s), but you should be aware of the following before installing or using it: - Privacy: Using the skill uploads your video files to https://mega-api-prod.nemovideo.ai. If your videos contain sensitive or private data, do not use the skill without confirming the provider's data handling and retention policy. - Credentials and anonymous tokens: The skill will look for NEMO_TOKEN or will call an anonymous-token endpoint to obtain a short-lived token (100 free credits, 7-day expiry). If you prefer control over credentials, supply your own NEMO_TOKEN rather than relying on anonymous provisioning. - Filesystem reads: The SKILL.md instructs detecting install paths (~/.clawhub/, ~/.cursor/skills/) and references a config path (~/.config/nemovideo/). Those are not listed in the registry metadata and mean the agent may read locations in your home directory for attribution/config. If you are uneasy about that, restrict the skill's access or decline to install. - No installer code: There is no install script or bundled code, which reduces disk-write risk, but the skill's runtime will make outbound network calls as described. Recommended actions: - Verify you are comfortable with uploading videos to the named domain and review any available privacy/terms pages for nemovideo.ai. - If possible, provide a scoped/limited NEMO_TOKEN rather than allowing anonymous token creation. - Ask the publisher for clarification about the declared config path (why ~/.config/nemovideo/ is needed) and whether the skill will read other files under your home directory. - If you need strong guarantees about data residency or deletion, do not use this skill until you get explicit confirmation from the provider. Confidence is medium because the skill's runtime instructions are generally consistent with its purpose, but the metadata mismatch and implicit filesystem access raise practical privacy/consent concerns that should be clarified.

Review Dimensions

Purpose & Capability: noteThe skill's endpoints, upload, SSE, and export workflows in SKILL.md align with a cloud-based subtitle/rendering service — this is coherent with the stated purpose. However, the SKILL.md YAML frontmatter declares a required config path (~/.config/nemovideo/) that is not listed in the registry metadata (the registry listed no required config paths). That mismatch is an inconsistency to note.
Instruction Scope: concernInstructions require uploading user video files to a third-party cloud API (mega-api-prod.nemovideo.ai) and include logic to auto-generate an anonymous token if NEMO_TOKEN is not present. The doc also instructs detecting the agent install path by checking home-directory locations (~/.clawhub/, ~/.cursor/skills/) and references a config path (~/.config/nemovideo/). Reading those filesystem locations is outside a minimal 'subtitle generation' description and should be disclosed to users. Uploading user videos to an external service is expected for this skill's functionality, but it has privacy implications that should be clear.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an installer. That minimizes installation risk.
Credentials: noteThe only declared required environment variable is NEMO_TOKEN (primary credential), which is appropriate for a cloud rendering API. However, the SKILL.md also references a config path (~/.config/nemovideo/) and expects to detect install paths for header attribution; those implicit filesystem accesses increase the scope of data the skill reads beyond a single API token. The skill will also create an anonymous token via an external API if NEMO_TOKEN is absent — this lets it operate without user-provided credentials but still means data and uploads go to the remote service.
Persistence & Privilege: okalways is false and there is no install-time behavior described that would modify other skills or system-wide settings. The skill requests session tokens for the third-party service but does not request persistent agent privileges in the registry metadata.