Skillv1.0.0

ClawScan security

Auto Subtitle Extension · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 6:52 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with a cloud-based subtitle/rendering service, but it will upload user videos to an external API and has a small metadata inconsistency you should note before installing.
Guidance: This skill is internally consistent for a cloud subtitle/rendering service, but it will upload your video files to https://mega-api-prod.nemovideo.ai and use a bearer token (NEMO_TOKEN) for requests. If you provide your own NEMO_TOKEN you are granting that service access under your account; if you do not provide one the skill will request an anonymous token from the provider and still upload files. Before installing or using: (1) confirm you trust the nemovideo.ai domain and understand their privacy/retention policy for uploaded videos, (2) avoid sending sensitive or private footage unless you accept that it will leave your device, (3) if you prefer, create a limited/throwaway service token rather than using a long-lived account token, and (4) note the small metadata inconsistency about configPaths (harmless but worth verifying with the skill author if you need guarantees about local path access).

Review Dimensions

Purpose & Capability: okName/description (auto-generate and extend subtitles) match the instructions: uploading video files, creating a session, sending SSE messages, and requesting exports from a remote render API. The required NEMO_TOKEN credential is appropriate for a cloud backend that needs authentication.
Instruction Scope: noteSKILL.md explicitly instructs the agent to upload user video files and to send API requests (session creation, SSE, upload, export) to mega-api-prod.nemovideo.ai — this is expected for a cloud-rendering subtitle service. It also instructs generation of an anonymous token if NEMO_TOKEN is absent. The file references and network calls are within the stated purpose, but the skill will transmit entire video files to a third-party server (expected but privacy-relevant). The frontmatter requests a config path / install-path detection for the X-Skill-Platform header; registry metadata said no config paths earlier, which is an internal inconsistency to be aware of.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written to disk by an installer.
Credentials: noteOnly NEMO_TOKEN is declared as required, which is proportionate: the backend needs a token to authenticate requests. The SKILL.md also supports obtaining an anonymous token by calling the service's anonymous-token endpoint when no env var is present. That behavior is reasonable but means the skill can operate without a user-managed secret by creating short-lived anonymous credentials.
Persistence & Privilege: okalways is false and there is no install-time persistence. The skill asks the backend to create sessions and returns session IDs for job management — expected for a remote processing workflow. It does not request system-wide or cross-skill config changes.