ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CreatOK Generate Video

v0.1.5

Use when generating, resuming, or checking TikTok videos, ads, or selling videos.

0· 269·0 current·0 all-time
by@newt0n
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (TikTok video generation) matches what the code does: it calls CreatOK Open Skills endpoints at https://www.creatok.ai, submits video-generation tasks, polls status, uploads reference images, and writes run artifacts. Required Node binary and the primaryEnv CREATOK_API_KEY are appropriate for this functionality.
Instruction Scope
SKILL.md and code limit actions to: preparing prompts, uploading user-provided reference images, submitting tasks, and polling task status. The skill reads local image files provided as reference_images and writes artifacts under .artifacts in the skill directory. The skill enforces (in SKILL.md and interactively in scripts/run.js) that user confirmation is required before starting generation, but the run script supports a --yes flag to bypass confirmation — ensure the agent or runner does not auto-confirm paid operations.
Install Mechanism
No external install/downloads are performed (no install spec), and all code is bundled locally. This is low risk from an install perspective. Minor inconsistency: registry metadata labels it instruction-only while the package actually includes runnable Node scripts and libraries; Node must be present to run them.
Credentials
Only CREATOK_API_KEY is required and is used by the code to call the CreatOK API. No other secrets, cloud creds, or unrelated environment variables are requested or read.
Persistence & Privilege
Skill does not request always:true or elevated platform privileges. It writes artifacts to a local .artifacts path inside the skill directory but does not modify other skills or system-wide configs.
Assessment
This skill appears to do what it says: it needs Node and your CreatOK API key and will upload any reference images you provide and submit generation tasks to creatok.ai. Before installing/using: (1) review the included code if you want to confirm behavior (it is bundled and run locally, not fetched at install); (2) do not pass sensitive files as reference images (the script will read and upload any file paths you give it); (3) ensure the agent or runner will ask you to confirm before starting paid generation (avoid automatic use of the --yes flag); and (4) keep your CREATOK_API_KEY private and revoke it if you suspect misuse.
!
lib/creatok-client.js:119
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fvnpqrfvv9fjndbztj2eqq5848mmn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
Primary envCREATOK_API_KEY

Comments