Back to skill
Skillv1.0.0
ClawScan security
Video To Text Extract Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 8:21 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are generally consistent with a cloud video→text transcription tool, but there are a few minor metadata mismatches and privacy/storage details you should confirm before installing.
- Guidance
- This skill behaves like a normal cloud transcription tool: it will upload any video you provide to mega-api-prod.nemovideo.ai and use a NEMO_TOKEN (or create a short-lived anonymous token) to process it. Before installing, confirm: (1) you are comfortable with your video content being sent to that external service and have reviewed its privacy/terms; (2) where and how the skill will persist the anonymous token or session_id (environment variable vs ~/.config/nemovideo/) — there is a metadata mismatch in the registry vs SKILL.md that should be clarified; (3) whether the skill will read the agent install path when setting X-Skill-Platform (this may require minimal filesystem queries). If you need to handle sensitive or regulated data, do not use this skill until you have explicit documentation from the skill author about storage, retention, and data handling policies.
Review Dimensions
- Purpose & Capability
- okName/description (video→text transcription) align with the declared primary credential (NEMO_TOKEN) and the SKILL.md instructions, which call a nemovideo.ai cloud API for upload, SSE chat, session management and export. No unrelated credentials or binaries are requested.
- Instruction Scope
- noteRuntime instructions stay within the stated purpose (creating sessions, uploading video, polling for render results, reading SSE). The skill explicitly instructs how to obtain an anonymous token if NEMO_TOKEN is not present, how to set headers, and to store the session_id. It also tells the agent not to display raw token/API responses. This is expected, but the instructions implicitly require uploading the user's video files to an external service (mega-api-prod.nemovideo.ai) — a clear privacy implication the user should be aware of.
- Install Mechanism
- okNo install spec and no code files (instruction-only). Lowest-risk installation surface — nothing is written to disk by an installer step. All runtime network actions are described in SKILL.md.
- Credentials
- noteOnly NEMO_TOKEN is declared as the primary credential, which is appropriate for a hosted transcription service. SKILL.md describes auto-obtaining a short-lived anonymous token if none is present. There is an inconsistency: registry metadata (provided earlier) lists no required config paths, but the SKILL.md frontmatter mentions configPaths (~/.config/nemovideo/). That mismatch should be clarified. Storing tokens or session IDs in environment or config directories is sensitive and should be documented.
- Persistence & Privilege
- okalways:false (not force-enabled). The skill asks only to store a session_id (and possibly token) for use with the service; it does not request system-wide privileges or to modify other skills. No evidence it modifies other agent settings.