Skillv1.0.0

ClawScan security

Media Caption · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 18, 2026, 5:13 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and instructions are generally consistent with a cloud-based video captioning service, but there are small metadata inconsistencies and privacy concerns you should consider before uploading media or providing a token.
Guidance: This skill uploads any video files you give it to a third-party API (mega-api-prod.nemovideo.ai) and uses a NEMO_TOKEN to authenticate. If you don't provide a token it will request a short-lived anonymous token and still upload your media. Before installing/using: (1) don't upload sensitive or private videos unless you trust the service; (2) prefer using an account token you control (NEMO_TOKEN) rather than anonymous tokens; (3) note the skill will save session IDs/tokens for ongoing jobs — avoid pasting tokens into chat; (4) the skill has no homepage or provenance and the registry metadata slightly differs from the SKILL.md (config path listed in the frontmatter), so verify the service and terms of use independently if you need stronger assurance.

Purpose & Capability: okThe skill's name/description (add captions to video) aligns with its runtime instructions: it calls a remote rendering/captioning API and uploads media. Requesting a single service token (NEMO_TOKEN) is appropriate for this purpose.
Instruction Scope: noteThe SKILL.md is instruction-only and directs the agent to upload user files and interact with the nemovideo.ai API (session creation, SSE, render polling). It does not instruct the agent to read unrelated system files or arbitrary credentials. It does instruct detection of an install path to set X-Skill-Platform and references saving session tokens; these are reasonable for attribution/state but give the skill discretion to read agent-related paths.
Install Mechanism: okNo install spec or external downloads — instruction-only behavior minimizes disk persistence and installer risk.
Credentials: noteOnly NEMO_TOKEN is declared as required, which fits the API usage. However, SKILL.md frontmatter also lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths — a minor metadata inconsistency. The skill will also generate an anonymous token if no token is present, meaning media can be uploaded under an ephemeral account.
Persistence & Privilege: okSkill is not always-enabled and uses normal autonomous invocation. It does not request elevated platform privileges or claim to modify other skills or system-wide settings.