Skillv1.0.0

ClawScan security

Subtitle Generator Japanese · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 10:08 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are generally consistent with a cloud-based Japanese subtitle/burn-in service, but there is a small metadata mismatch (a config path declared in the SKILL.md that the registry didn't list) and you should be aware it will upload your video files and use or create a token tied to an external service (mega-api-prod.nemovideo.ai).
Guidance: This skill appears to do what it says: it uploads your video files to a third-party cloud service (mega-api-prod.nemovideo.ai) to generate and burn Japanese subtitles, and it needs a NEMO_TOKEN or will request a short-lived anonymous token for you. Before installing or using it: (1) confirm you are comfortable having your videos uploaded to that domain and review the provider's privacy/retention policies; (2) prefer using a short-lived or anonymous token rather than a long-lived account token if you want to limit exposure; (3) note the small metadata mismatch (a config path declared in SKILL.md) and consider asking the publisher to clarify whether any local config directory is read or written; and (4) avoid supplying other unrelated credentials. If you need stronger assurance, ask the skill author for a provenance link or official homepage and for clarification about the ~/.config/nemovideo/ path.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (generate Japanese subtitles and burn them into videos) lines up with the declared primary credential (NEMO_TOKEN) and the API endpoints in SKILL.md. One inconsistency: the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata reported no required config paths — this is likely a minor metadata mismatch but worth noting.
Instruction Scope: okThe runtime instructions are focused on uploading video files, creating/using a session, streaming SSE for edits, and exporting rendered MP4s. The instructions only reference the NEMO_TOKEN (or obtaining an anonymous token via the service's auth endpoint) and map UI actions to API calls; they do not instruct the agent to read unrelated system files or other credentials. They do instruct the agent to include skill-derived headers and to detect install path strings to set X-Skill-Platform, which is reasonable for telemetry but does require the agent to inspect its environment/paths.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written to disk by an installer — lowest-risk install surface.
Credentials: okOnly one credential (NEMO_TOKEN) is declared as required and is appropriate for a cloud API-based video processing service. The skill also documents a fallback flow to obtain a short-lived anonymous token from the same service if NEMO_TOKEN is not present; that behavior is consistent with the skill's purpose. The earlier noted configPaths entry in the SKILL.md frontmatter is the only small surprise and should be clarified.
Persistence & Privilege: okThe skill does not request always: true and contains no instructions to modify other skills or system-wide settings. It stores session_id for operations within the session as expected for a cloud render workflow. Autonomous invocation is allowed (platform default) and not an additional red flag here.