ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Image To Video Tiktok

v1.0.0

Get TikTok-ready video ready to post, without touching a single slider. Upload your static images (JPG, PNG, WEBP, HEIC, up to 200MB), say something like "tu...

0· 49·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description align with the runtime instructions: it uploads images and uses a cloud backend (mega-api-prod.nemovideo.ai) to produce MP4s. The declared primary credential (NEMO_TOKEN) makes sense. However, the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/) while the registry metadata lists no required config paths — that mismatch is unexpected and could indicate sloppy packaging.
Instruction Scope
Instructions remain within the stated purpose: create sessions, upload images, handle SSE, poll for renders, and return download URLs. Important privacy/behavior notes: the agent is instructed to upload user images to a third-party cloud service and may create or fetch an anonymous NEMO_TOKEN if none is present (POST to /api/auth/anonymous-token). The skill explicitly tells the agent not to expose tokens, but it will transmit user media and metadata to nemovideo.ai — this is expected for the feature but is a meaningful data flow to an external service.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low risk from an install/execution-supply perspective (nothing is downloaded or written by an installer).
Credentials
Only one environment variable is required (NEMO_TOKEN), which is proportional to a cloud-API integration. The frontmatter also references a config path (~/.config/nemovideo/) that could contain credentials; the registry metadata did not list this path — that mismatch should be clarified. The skill will also obtain an anonymous token from the backend if no NEMO_TOKEN is present (network call), which is expected but worth noting.
Persistence & Privilege
No elevated persistence requested: always:false, no install, and no instructions to modify other skills or system-wide agent settings. The skill does not request permanent platform-wide privileges.
What to consider before installing
This skill uploads whatever images you provide to a third-party backend (mega-api-prod.nemovideo.ai) and uses a bearer token (NEMO_TOKEN) to authenticate; if you don't supply a token it will obtain an anonymous one for you. Before installing or using it: 1) Confirm you trust nemovideo.ai with the images and any metadata (do not upload sensitive photos). 2) Decide whether to provide your own NEMO_TOKEN or allow the skill to create an anonymous token (anonymous tokens appear to expire after 7 days and may have limited credits). 3) Ask the publisher to clarify the configPaths discrepancy (SKILL.md references ~/.config/nemovideo/ but the registry metadata lists none). 4) Check the service's privacy/retention policy and how to revoke tokens if you later decide to stop using the skill. The inconsistencies look like sloppy packaging rather than obvious malice, but exercise caution with private or sensitive content.

Like a lobster shell, security has layers — review code before you run it.

latestvk978r3kch4kxqqcxwkhtj1ch9984qqj6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments