Skillv1.0.0

ClawScan security

Youtube Video Caption Download · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 27, 2026, 5:35 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions align with a cloud video/caption extraction service: it needs a NEMO_TOKEN and contacts nemovideo.ai to create sessions, upload video URLs/files, and retrieve captions/exports.
Guidance: This skill appears to be what it says: a cloud video/caption extraction front-end that calls nemovideo.ai and requires an API token. Before installing or using it: (1) Only provide a NEMO_TOKEN if you trust nemovideo.ai — the token grants access to upload and process your videos. (2) Avoid uploading sensitive files; the agent will accept and send local files to the remote API. (3) Note the SKILL.md can obtain an anonymous token automatically if no NEMO_TOKEN is present (it will call the public anonymous-token endpoint), so lack of a token does not prevent external network calls. (4) Ask the skill author to resolve the small metadata mismatch (registry says no config paths but the SKILL.md frontmatter lists ~/.config/nemovideo/). If those points are acceptable, the skill's behavior is coherent with its stated purpose.

Review Dimensions

Purpose & Capability: okThe skill claims to download captions and describes a cloud render/upload pipeline; the single required env var (NEMO_TOKEN) and the documented API endpoints (nemovideo.ai) are consistent with that purpose. The skill also supports uploading video files and working with YouTube URLs, which matches the description.
Instruction Scope: noteThe SKILL.md instructs the agent to use NEMO_TOKEN (or obtain an anonymous token), create sessions, upload files or URLs, poll render status, and return download URLs. These actions are expected for this service. Note: the instructions tell the agent to upload local files (multipart file upload) and to hide technical details from the user; uploading local files is normal for this use case but is a data-exfiltration vector if users mistakenly upload sensitive files.
Install Mechanism: okThere is no install spec and no code files (instruction-only), so nothing is written to disk and no external packages are pulled in by the skill itself. This is the lowest-risk install model.
Credentials: noteThe only required environment credential is NEMO_TOKEN (declared as primary), which is proportionate for an API-backed service. The SKILL.md also documents an anonymous-token fallback it will obtain from the public API if NEMO_TOKEN is not present. One minor inconsistency: the registry summary lists no required config paths, but the skill frontmatter declares a config path (~/.config/nemovideo/). This mismatch should be clarified.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills or system-wide settings according to the provided instructions.