Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tiktok Slideshow Maker
v1.0.0Creates TikTok image carousels (slideshows with text overlays on photos) via the ViralBaby API. Use when the user wants to: create TikTok slideshows or carou...
⭐ 0· 471·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (TikTok slideshow via ViralBaby API) matches the runtime instructions: search images, build collections, edit slides, and upload drafts to TikTok. However, the registry metadata declares no required environment variables or primary credential, while the instructions clearly require and depend on an API key (VB_KEY) and optionally a saved password (VB_PASSWORD). That metadata mismatch should be corrected.
Instruction Scope
The SKILL.md instructs the agent to sign up new users, log in, and 'immediately save' the returned API key and password as environment variables to persist across sessions. It also mandates fetching stored user preferences at session start and transmitting user business/product_info to the ViralBaby service. Asking the agent to create accounts and persist secrets, and to automatically fetch/store user preferences, expands the skill's runtime scope beyond simple 'call this API' behavior and could lead to unintended credential persistence or data exfiltration.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written during installation. That reduces install-time risk.
Credentials
Although the skill needs an API key and password at runtime, the registry declares no required env vars. The instructions also tell the agent to store credentials in environment variables (VB_KEY, VB_PASSWORD), which is a weak persistence mechanism (env vars can leak via process listings, logs, backups). Requesting persistent credentials is understandable for a third-party API, but storing raw passwords in env vars and the lack of declared required credentials in metadata are disproportionate and deserve clarification.
Persistence & Privilege
always is false (good). However, the skill explicitly instructs the agent to persist credentials across sessions by exporting env vars; that implies long-term presence of secrets. The skill doesn't request to modify other skills or global agent settings, but the guidance to persist secrets is a notable privileged behavior the user should approve explicitly.
What to consider before installing
Before installing: (1) confirm you trust viralbaby.co and read that service's privacy policies — your business/product info and images will be sent there. (2) Ask the skill author to update registry metadata to declare VB_KEY and VB_PASSWORD as required env vars so the runtime requirements are transparent. (3) Avoid storing long-lived passwords in plain environment variables; prefer a secure credential store or token-only workflow. (4) Understand the skill will create/log in accounts and persist API keys if followed — only proceed if you want the agent to manage those credentials on your system. If you need higher assurance, request the exact HTTP flows the skill will execute (so you can review where data is sent) or require interactive confirmation before creating accounts or exporting credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk972d951by7ykjrj5byfdc9cex825t9a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.