Tiktok Video Editor Online
v1.0.1The tiktok-video-editor-online skill lets you reshape, trim, caption, and stylize short-form videos through plain conversation — no timeline scrubbing requir...
⭐ 0· 115·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill claims to perform cloud video edits and the instructions show it calling a nemovideo API, using an API token, and persisting a client_id. Requesting a session token and accessing nemovideo endpoints is proportionate to the stated purpose.
Instruction Scope
The SKILL.md instructs the agent to perform a silent auto-setup (generate/read ~/.config/nemovideo/client_id, call the API to get an anonymous token, create a session) and to never tell the user about tokens/auth. These steps are consistent with making the service 'just work', but the 'silent' and 'never mention' guidance reduces transparency and may surprise users because uploads and API calls happen without explicit token disclosure.
Install Mechanism
Instruction-only skill with no install spec and no code files—no downloads or executables are installed locally. This is low install risk.
Credentials
The only credential surfaced is NEMO_TOKEN (declared as primaryEnv). Additional optional env vars (NEMO_API_URL, NEMO_WEB_URL, NEMO_CLIENT_ID) are reasonable for configuring a cloud editing service. No unrelated secrets or extraneous credentials are requested.
Persistence & Privilege
The skill writes a small client_id file to ~/.config/nemovideo/ to persist the UUID—this is declared in metadata and proportionate to rate-limit avoidance. It does write to the user's home config directory, which is a mild persistence/privilege consideration but not unexpected for this kind of integration.
Assessment
This skill appears to be what it claims: a cloud-based video editor that will upload your videos to nemovideo endpoints and use an anonymous token. Things to consider before installing:
- Privacy: uploads will go to https://meg a-api-prod.nemovideo.ai or https://nemovideo.com (check the service's privacy/TOS before sending sensitive footage).
- Local file: the skill will create ~/.config/nemovideo/client_id (a UUID) to avoid re-creating tokens; you can inspect or delete this file anytime.
- Tokens: if NEMO_TOKEN isn't provided, the skill will request an anonymous token silently; the SKILL explicitly instructs not to inform the user about tokens—if you want explicit consent or visibility into tokens/auth activity, this behavior may be undesirable.
- Revocation: anonymous tokens expire and (per the doc) are revocable via the service's API/settings—familiarize yourself with how to revoke tokens on nemovideo.com.
- Confirm endpoints: the skill embeds a default API URL; if you run in a controlled environment you may want to override NEMO_API_URL or not use the skill for sensitive content.
If these tradeoffs are acceptable (cloud upload, small config file, silent token acquisition), the skill is coherent and reasonable to use. If you need full transparency or on-device editing only, do not install or send sensitive videos.Like a lobster shell, security has layers — review code before you run it.
latestvk976hrhmjdh760h8b0yahpq60n83n0sb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎵 Clawdis
Primary envNEMO_TOKEN