Creatok Generate Video
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears purpose-aligned for CreatOK TikTok video generation, but users should know it uses a CreatOK API key, can spend credits after confirmation, and may upload selected reference images.
Before installing, confirm that you trust CreatOK with your prompts, selected reference images, API key, and any credits spent on generation. The reviewed artifacts do not show hidden exfiltration, destructive behavior, or background persistence.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generation request may consume CreatOK credits or start a paid/high-cost operation if confirmed or if --yes is used.
The CLI asks for confirmation by default before generation, but the --yes flag can bypass the interactive prompt, so the caller must ensure user approval was obtained first.
if (key === '--yes') { args.yes = true; } ... if (!resolvedArgs.yes) { const confirmed = await confirmGeneration(resolvedArgs);Review the model, duration, definition, reference images, and estimated credits before approving; only use --yes after explicit confirmation.
Anyone running the skill with this environment variable can use the associated CreatOK account permissions and credits available to that key.
The skill requires a CreatOK API key from the environment and uses it to authenticate to the CreatOK service, which is expected for this integration but is still sensitive account access.
const apiKey = process.env.CREATOK_API_KEY; ... baseUrl: 'https://www.creatok.ai', openSkillsKey: String(apiKey)
Use a CreatOK API key scoped appropriately for this workflow, keep it out of logs and shared files, and revoke or rotate it if exposed.
Selected local images leave the device and are shared with the CreatOK upload/storage flow for video generation.
When reference images are provided, the skill reads those local image files and uploads them to a presigned external upload URL for CreatOK processing.
const file = await fs.readFile(filePath); ... await fetch(upload.presignedUploadUrl, { method: 'PUT', headers: { 'Content-Type': fileType }, body: file })Only provide reference image paths for files you intend to upload, and avoid using private or sensitive images unless you are comfortable sharing them with the provider.
Users have less provenance information for independently verifying the publisher or upstream project.
The provided metadata does not include an upstream source or homepage, although the reviewed package contains readable code and no installer script.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Install only if you trust the ClawHub listing and the CreatOK service; prefer versions with clear source and publisher information when available.