Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tiktok Editing With Ai
v1.0.0Skip the learning curve of professional editing software. Describe what you want — cut to the beat, add trending captions, and trim dead air for a 30-second...
⭐ 0· 59·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (AI TikTok editing) matches the runtime instructions: an external cloud backend at mega-api-prod.nemovideo.ai, upload endpoints, render/export endpoints, and a single service credential (NEMO_TOKEN). Required artifacts (video upload, render, download) are proportional to the stated purpose.
Instruction Scope
SKILL.md directs network operations to a single third‑party API, session creation, file uploads, SSE streaming, polling, and anonymous-token creation when NEMO_TOKEN is absent. These actions are consistent with cloud rendering, but the doc also requires automated platform detection (X-Skill-Platform) and mentions a config path in frontmatter (~/.config/nemovideo/) even though the instructions do not describe reading that path — a minor inconsistency worth noting. The instructions do not ask to read arbitrary local files beyond the declared env var.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes disk-write/executable install risk: the skill will only perform runtime HTTP calls as described.
Credentials
The only required credential is NEMO_TOKEN (declared primaryEnv) which is appropriate for a service that uploads and renders video. However: 1) providing a NEMO_TOKEN grants the skill bearer whatever API permissions that token represents (uploads, renders, credits, account access) — review what that token controls; 2) SKILL.md also describes the ability to mint an anonymous token via the service if no token is present (100 free credits, 7-day expiry), so the skill can operate without a user token but will route media to the external provider; and 3) metadata lists a config path (~/.config/nemovideo/) that is not referenced in the instructions — unclear whether the skill will attempt to read or write that path.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence. It can be invoked autonomously per platform defaults, which is normal. There is no install-time modification of other skills or system settings described.
What to consider before installing
Key things to consider before installing: 1) Source reputation: there is no homepage or identifiable publisher — that increases risk; verify the nemovideo.ai service independently before handing over tokens or private videos. 2) Token scope: a provided NEMO_TOKEN likely grants upload/render/credit access to your account — only supply it if you trust the service. Prefer using the anonymous-token path for testing (it expires) and try non-sensitive sample videos first. 3) Data privacy: video/audio you upload will be sent to mega-api-prod.nemovideo.ai; review their privacy/retention policy and whether uploads may be used for model training. 4) Metadata mismatch: the frontmatter references a local config path (~/.config/nemovideo/) not described in the runtime steps — ask the author whether the skill reads/writes that path. 5) If you require confidentiality, do not install or upload sensitive footage until you confirm the service's policies and the skill's origin. If you proceed, monitor what token you provide and limit its permissions where possible.Like a lobster shell, security has layers — review code before you run it.
latestvk97admreztgdxcw2r3n7mwwa8d84m7jz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN