CreatOK Analyze Video
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is coherent for TikTok analysis: it sends a TikTok URL to CreatOK, uses a CreatOK API key, and stores analysis artifacts locally, with no malicious behavior evident in the provided code.
Before installing, confirm you are comfortable sending TikTok URLs to CreatOK and storing the resulting transcript and analysis files locally. Configure CREATOK_API_KEY carefully, and use safe generated run IDs for artifact folders.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The TikTok URL submitted for analysis is processed by CreatOK's service.
The skill sends the user-provided TikTok URL to CreatOK's analysis endpoint. This is disclosed and central to the skill's purpose, but it is still an external data flow users should notice.
body: { tiktok_url: tiktokUrl }Use this skill only for TikTok URLs you are comfortable sending to CreatOK for analysis.
The skill can use the configured CreatOK API key to make CreatOK API requests.
The code uses CREATOK_API_KEY as a bearer token when calling CreatOK. This is expected for the provider integration and is not shown being logged or sent elsewhere.
Authorization: `Bearer ${this.cfg.openSkillsKey}`Use a dedicated CreatOK API key with appropriate scope, keep it in environment configuration, and rotate it if exposed.
Analysis data from the TikTok video remains on disk after the run.
The skill persists transcript, vision, video details, session data, and final result JSON to local artifact files.
artifacts.writeJson('transcript/transcript.json', { segments }); ... artifacts.writeJson('outputs/result.json', result);Review or delete the skill's .artifacts directories if the analyzed content or derived transcript should not remain locally.
A malformed run ID could create or overwrite fixed artifact filenames in unexpected local directories.
The run_id value becomes part of the artifact directory path without visible validation. Normal generated run IDs are fine, but path separators or '..' could place output folders outside the intended per-run location.
return new Artifacts(path.join(artifactsRootForSkill(skillDir), runId));
Use generated safe run IDs such as UUIDs or timestamps, and reject run IDs containing path separators or '..'.