ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tiktok Video Editor App

v1.0.0

Skip the learning curve of professional editing software. Describe what you want — cut the silent parts, add trending captions, and sync the beat drop to the...

0· 47·0 current·0 all-time
by@linmillsd7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to perform TikTok-oriented cloud video editing and its SKILL.md exclusively describes API calls, uploads, session management, and exports to a video-processing backend — this is coherent with the stated purpose. Minor inconsistency: the registry lists no required config paths but the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/).
Instruction Scope
Runtime instructions stay within the editing workflow (obtain/use a token, create session, upload files, request renders, poll exports). They do instruct the agent to read this skill's YAML frontmatter and detect install path to set an X-Skill-Platform header (which requires inspecting file/install paths). The skill does not instruct reading arbitrary system files or unrelated environment variables, but it will upload user media to an external third-party domain.
Install Mechanism
There is no install spec or third-party binary download; the skill is instruction-only, which minimizes install-time risk because nothing is written or executed on disk by an installer.
!
Credentials
The skill declares a single primary credential NEMO_TOKEN (appropriate for a remote API). However, registry metadata and SKILL.md are inconsistent: requires.env lists NEMO_TOKEN as required, yet SKILL.md includes a full fallback that generates an anonymous token automatically if NEMO_TOKEN is absent. That mismatch (declared required env var vs. runtime anonymous-auth fallback) is surprising and worth noting. The skill does not request unrelated credentials, which is good.
Persistence & Privilege
The skill is not force-included (always: false) and uses normal autonomous invocation. It asks the agent to store a session_id for ongoing requests and to inspect the install path to set an attribution header — these are limited privileges and not obviously excessive, but installing an always-enabled skill would increase risk (this skill does not request that).
What to consider before installing
This skill sends any uploaded videos and metadata to https://mega-api-prod.nemovideo.ai — the source and homepage are not provided, so verify that domain and service before uploading private content. The skill declares an env var NEMO_TOKEN but will also generate an anonymous token automatically; avoid pasting highly sensitive tokens into skills you don't fully trust and prefer anonymous mode if available. Check for a privacy policy or official project page, and if you must provide a permanent NEMO_TOKEN, only do so if you trust the operator. Finally, be aware the skill will read its own frontmatter and detect install paths (it may inspect typical skill install directories) — avoid installing on systems with sensitive files in those paths. If you want higher assurance, request the skill author/publisher info or an official homepage and an explanation for the env/config mismatch before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9771fnkd4jmzsnqavw12fn8k984qf9w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments