Skillv1.0.0

ClawScan security

Subtitle Generator In Hinglish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 15, 2026, 8:57 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions align with its stated purpose (cloud subtitle/rendering) and it only asks for a single API token; nothing in the instructions is disproportionate or redirected to unrelated services.
Guidance: This skill uploads your video files to a third‑party cloud service (mega-api-prod.nemovideo.ai) and requires a NEMO_TOKEN to authorize API calls. Only proceed if you trust that external service and are comfortable with your videos being uploaded and processed there. If you don’t already have a token the skill will create an anonymous one (100 credits, 7‑day expiry) — consider using ephemeral tokens and revoke them when done. Be aware the agent may check common install directories to set an X-Skill-Platform header; if you prefer not to expose that info, run the skill in an environment without those directories or unset the token and upload via a controlled workflow. No local install is required, but do not send sensitive or private footage unless you understand the service’s privacy/retention policy.

Purpose & Capability: okThe skill is a cloud-based video subtitle/render pipeline and it only requires a single service token (NEMO_TOKEN) and a nemovideo config path, which are appropriate for calling a third‑party rendering API.
Instruction Scope: noteInstructions focus on communicating with nemovideo API endpoints (session creation, SSE, upload, render/poll). One minor scope note: headers include an X-Skill-Platform value 'detected from the install path' which implies the agent may inspect typical skill install directories (~/.clawhub/, ~/.cursor/skills/) to set that header — this is not necessary for subtitle functionality but is not highly sensitive. Otherwise the instructions do not ask the agent to read unrelated files or exfiltrate data to third parties.
Install Mechanism: okNo install spec or remote downloads are present (instruction-only skill), so nothing is written to disk by the skill itself during install.
Credentials: okOnly NEMO_TOKEN is required as the primary credential, which is proportional for a cloud rendering service. Metadata includes a nemovideo config path (~/.config/nemovideo/) which matches the service and may be used to locate existing credentials/configuration.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated or persistent system privileges; it does not modify other skills or system-wide settings.