Skillv1.0.0

ClawScan security

Ai Subtitle Generator Best · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 11, 2026, 8:31 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches a subtitle-rendering service (it asks for a NEMO_TOKEN and describes uploading videos to a cloud render API), but there are metadata/instruction inconsistencies and missing provenance that deserve caution before installing or using it with sensitive content.
Guidance: Consider these steps before installing or using the skill: 1) Confirm the external service and domain (mega-api-prod.nemovideo.ai) are legitimate and acceptable for your content — the skill has no homepage or published provenance. 2) Prefer using an anonymous/ephemeral token or a throwaway account when testing; avoid giving a long-lived or highly-privileged NEMO_TOKEN until you trust the service. 3) Don't upload sensitive videos (containing secrets, PII, proprietary content) until you verify retention and privacy policies with the service owner. 4) Ask the author to clarify the metadata mismatch (registry vs SKILL.md configPaths) and why the skill needs to infer install paths — this should be explicit. 5) If you need higher assurance, request the skill's source or a vendor/privacy link; otherwise test with non-sensitive sample videos first.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (AI subtitle generation and cloud rendering) aligns with its runtime instructions to upload media and call nemovideo.ai endpoints and thus legitimately needs an API token. However there is an internal mismatch: the registry metadata lists no required config paths, while the SKILL.md frontmatter declares a configPaths entry (~/.config/nemovideo/). That inconsistency is unexplained and reduces confidence in the packaging/authoring.
Instruction Scope: noteSKILL.md gives concrete API flows (anonymous-token acquisition, session creation, SSE, upload, render, polling) which are appropriate for a cloud subtitle/render service. It also instructs deriving an X-Skill-Platform value from an install path (~/.clawhub/, ~/.cursor/skills/) which implies the agent might inspect install locations — a minor scope creep that should be explicit (why is that needed?). Otherwise instructions do not request unrelated system files or other credentials.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing will be downloaded or written by an installer. That minimizes disk-write risk.
Credentials: noteThe skill requires a single credential (NEMO_TOKEN), which is proportionate to a cloud API-based subtitle/render service. Still: SKILL.md describes creating/using an anonymous token if none is provided, and the frontmatter's configPaths declaration (not present in registry) is inconsistent. The single required env var appears justified, but verify you trust the endpoint before supplying a long-lived token.
Persistence & Privilege: okalways is false and there is no install-time persistence or modifications to other skills. The skill requires network access to an external API and can be invoked autonomously (default), which is expected for a cloud processing skill; not flagged on its own.