Skillv1.0.0

ClawScan security

Video To Text Transcription · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 11:56 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are broadly consistent with a cloud-hosted video-to-text transcription service, but it will send your video files and session tokens to an external API and has a small metadata/filepath inconsistency you should review.
Guidance: This skill will upload your video files to an external service (mega-api-prod.nemovideo.ai) and use a bearer token (NEMO_TOKEN) or obtain a 7-day anonymous token for you. Before installing: (1) confirm you are comfortable uploading the videos to that domain and review its privacy/retention policy; (2) consider supplying your own NEMO_TOKEN rather than letting the skill obtain one automatically if you want tighter control; (3) be aware the skill may access local paths when uploading files and may check common install/config paths to set an X-Skill-Platform header — this is minor but unnecessary for transcription and worth noting; (4) verify pricing/credit implications because anonymous tokens have limited free credits and some export errors reference subscription tiers. If you need higher assurance, ask the publisher for a homepage or documentation and confirm the API domain's legitimacy before use.

Review Dimensions

Purpose & Capability: okName and description match the actual actions: the skill uploads video files, requests a transcription/render from a remote API, and returns downloadable media. The declared primary credential (NEMO_TOKEN) is appropriate for a third‑party transcription API.
Instruction Scope: noteSKILL.md tells the agent to obtain/store an anonymous token, create sessions, upload local files (multipart @/path) or URLs, stream SSE messages, poll export status, and return download URLs — all expected for this service. It does reference reading or deriving headers from local install/config paths (e.g., ~/.clawhub, ~/.cursor, and ~/.config/nemovideo/), which is not strictly needed for transcription and is a minor scope creep to be aware of.
Install Mechanism: okNo install spec or code is provided (instruction-only), so nothing is written to disk by the skill itself. This is lowest-risk in terms of install behavior.
Credentials: okOnly a single service token (NEMO_TOKEN) is required and is the declared primary credential. The skill can also obtain an anonymous token itself if none is provided, which is coherent with its anonymous usage flow and reduces the need for additional secrets.
Persistence & Privilege: noteThe skill instructs the agent to 'store' session_id and use tokens for subsequent requests (normal for sessioned APIs). It is not always-enabled and does not request elevated system-wide privileges. The documentation is vague about where/how session state is stored—this is typical but worth noting.