Back to skill
Skillv1.0.0
ClawScan security
Ai Subtitle Extractor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 12, 2026, 11:18 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (extracting and embedding subtitles using a cloud backend) matches its runtime instructions, but there are small metadata inconsistencies and it will upload user videos and obtain/use a cloud token—so verify the remote service and data handling before use.
- Guidance
- This skill will upload your video files and related session metadata to the remote domain mega-api-prod.nemovideo.ai and will use or obtain a NEMO_TOKEN (it can fetch an anonymous token if you don't provide one). Before installing or using: 1) Confirm you trust the remote service—check its privacy/data-retention policy and who runs the service; 2) If your videos contain sensitive content, avoid uploading them or provide a vetted, self-managed processing option; 3) Clarify how/where tokens and session IDs are stored (in memory only vs written under ~/.config/nemovideo/); 4) Consider supplying your own NEMO_TOKEN only if you trust the provider; 5) Because the skill source is unknown and the registry metadata has a small inconsistency (config path present in SKILL.md but not in registry), proceed cautiously and ask the skill author to explain the discrepancy and the service's data handling practices.
Review Dimensions
- Purpose & Capability
- noteThe name/description align with the instructions: the skill routes uploads and render jobs to a cloud rendering backend (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — this metadata mismatch is inconsistent and worth clarifying.
- Instruction Scope
- concernThe instructions explicitly upload user video files (multipart file POSTs or URL uploads) and stream SSE responses from the remote API. Uploading user files to an external service is expected for this functionality, but it is sensitive: the skill will transmit full media content and session metadata to mega-api-prod.nemovideo.ai and will obtain or reuse tokens. The SKILL.md also instructs the agent to auto-create an anonymous token if NEMO_TOKEN is missing, which involves contacting the API and storing/using the returned token for subsequent operations. There is no instruction about where (or whether) the anonymous token or session_id is stored locally, which is a scope/privacy concern.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. This lowers filesystem/installation risk because nothing is downloaded or written by an installer, but runtime network calls to the external API remain the primary risk surface.
- Credentials
- noteOnly one environment credential is declared (NEMO_TOKEN), which is proportional to a cloud-rendering service. The SKILL.md also documents acquiring an anonymous token when none is present. The frontmatter's inclusion of a config path (~/.config/nemovideo/) is not reflected in the registry metadata and should be clarified because access to config paths could imply additional local state access.
- Persistence & Privilege
- okThe skill is not marked always:true and uses normal model-invocation defaults. It does not request elevated platform privileges in the instructions. The main persistence-related behavior is retaining a session_id/token for ongoing operations; the SKILL.md does not say whether tokens/session IDs are persisted to disk.