ClawHub
Back to skill
v1.0.3

TikTok Video Maker

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:18 AM.

Analysis

This is a disclosed LovelyBots API integration that uses an API key to send user-provided scripts and images for video generation, with no artifact-backed hidden, destructive, or deceptive behavior.

GuidanceInstall this only if you trust LovelyBots and intend to let your agent create videos through that paid API. Keep the API key secret, confirm credit-consuming jobs before running them at scale, avoid uploading sensitive or unauthorized media, and treat returned share/download URLs as private.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Submits a video generation job (script + source image → queued video) ... Reports credits remaining after each request

The skill creates remote video-generation jobs and tracks account credits. This is expected for the stated purpose, but it is still an account-affecting API action.

User impactUsing the skill can create jobs on the user's LovelyBots account and may consume paid credits.
RecommendationUse it only for user-approved scripts and images, monitor credits, and keep the documented polling timeout/backoff behavior.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Always send `Authorization: Bearer $LOVELYBOTS_API_KEY` on every API request.

The skill requires a bearer token for the user's LovelyBots account. The credential is clearly disclosed and purpose-aligned, but it grants access to the service account.

User impactAnyone with the API key could potentially use the user's LovelyBots API access and credits.
RecommendationStore the API key as a secret, avoid committing it to repositories, rotate it if exposed, and use any provider-side IP allowlist or revocation controls available.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
README.md
POST a script and image input (`image`: file upload, URL, or base64) → GET a finished video URL.

User-provided scripts and images are sent to the LovelyBots API and a video/share URL is returned. This data flow is disclosed and central to the purpose, but it crosses a third-party service boundary.

User impactImages, scripts, and generated video links may contain personal, commercial, or confidential content that will be handled by the external provider.
RecommendationOnly upload content you have rights to share with LovelyBots, avoid sensitive media unless appropriate, and treat returned video/share URLs as confidential.