ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tiktok Editor Ai

v1.0.0

Cloud-based tiktok-editor-ai tool that handles creating short edited TikTok videos from raw footage. Upload MP4, MOV, AVI, WebM files (up to 500MB), describe...

0· 55·0 current·0 all-time
by@linmillsd7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the runtime instructions (upload video files, create sessions, render on cloud GPUs). Declared primary credential (NEMO_TOKEN) is sensible for a cloud API. However, the registry metadata reported no required config paths while the SKILL.md frontmatter declares a configPath (~/.config/nemovideo/), an internal inconsistency that should be resolved.
Instruction Scope
Runtime instructions are focused on the external nemovideo.ai API (session creation, upload, SSE, render polling) which fits the purpose. The skill also instructs the agent to read the skill's YAML frontmatter and detect an install path (~/.clawhub, ~/.cursor/skills/) by checking home-directory paths — this local probing is not strictly necessary for editing functionality and expands filesystem access beyond obvious needs. Otherwise there are no instructions to read unrelated env vars or secrets.
Install Mechanism
Instruction-only skill with no install spec or code files — minimal install risk (nothing is downloaded or written by an installer).
!
Credentials
The skill declares NEMO_TOKEN as a required/primary env var, which is appropriate for a cloud API. But the SKILL.md also describes obtaining an anonymous token automatically if NEMO_TOKEN is absent — so marking the token as strictly required is inconsistent. No other credentials are requested. The mismatch between declared configPaths and registry metadata adds to the proportionality concern.
Persistence & Privilege
Does not request always=true or other elevated persistent privileges. Session IDs are ephemeral and there are no instructions to modify other skills or system-wide settings.
What to consider before installing
This skill mostly does what it says — it uploads your videos to a third-party API (mega-api-prod.nemovideo.ai) for cloud editing and requires/uses a NEMO_TOKEN. Before installing, confirm you trust that domain and understand that your raw videos will be uploaded off-device. Ask the publisher for a homepage or source repository (none is listed). Also note the SKILL.md inconsistently lists a local config path and claims NEMO_TOKEN is required even though it can fetch an anonymous token; that inconsistency could be benign (sloppy metadata) but could also mask unexpected behavior. If you proceed: avoid supplying any unrelated credentials, and prefer letting the skill create an anonymous token rather than entering long-lived secrets until you verify the provider. If you need higher assurance, request the skill's source code or a verified homepage and an explanation for the configPath/install-path checks before enabling it.

Like a lobster shell, security has layers — review code before you run it.

latestvk973az3hn1km1w5hpyzq3qhqm584jc0e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments