Skillv1.0.0

ClawScan security

Ai Caption Generator For Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 17, 2026, 9:19 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared requirements and runtime instructions are mostly coherent for a cloud-based video captioning service, but there are small metadata inconsistencies and privacy implications (it will upload user video to an external API and may auto-generate/store an anonymous token).
Guidance: This skill appears to do what it says: it uploads user video files to a third‑party Nemovideo backend, generates captions, and returns downloadable exports. Before installing: (1) confirm you’re comfortable uploading the videos to that external service and review its privacy/retention policy; (2) note the skill will try to auto-obtain an anonymous NEMO_TOKEN if one isn’t provided (100 free credits for 7 days) — if you prefer manual control, supply your own token or avoid using the auto-connect flow; (3) clarify the metadata mismatch about a local config path (~/.config/nemovideo/) vs. the registry record — ask the publisher where local data (if any) is stored and why that path is needed; (4) because the skill is from an unknown source with no homepage, prefer caution: test with non-sensitive videos, and monitor network activity or request the skill author/publisher information before sending private content.

Review Dimensions

Purpose & Capability: okThe name/description match the runtime actions: the skill calls a remote Nemovideo API to upload videos, generate captions, and return exported MP4s. The single required env var (NEMO_TOKEN) and the API endpoints described are appropriate for that purpose.
Instruction Scope: noteThe SKILL.md instructs the agent to check NEMO_TOKEN, optionally obtain an anonymous token from the backend, create sessions, upload user video files, poll state, and stream SSE responses — all expected for a cloud render pipeline. It does not ask the agent to read unrelated files or credentials. It does instruct hiding raw API responses/tokens from the user (a UX choice) and to include attribution headers derived from file frontmatter and install path; these are implementation details worth noting but not out-of-scope.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. Low install risk.
Credentials: noteThe skill requests only NEMO_TOKEN as its primary credential, which is proportional to calling the Nemovideo API. However, the SKILL.md frontmatter also mentions a config path (~/.config/nemovideo/) not reflected in the registry summary; this metadata mismatch should be clarified (it suggests the agent might read or expect a local config, which is broader than just an env token).
Persistence & Privilege: okalways is false and the skill doesn't request permanent/privileged presence. It requests to store a session_id for API calls (normal for a remote-service integration).