ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Add Music To Tiktok

v1.0.0

Get music-backed videos ready to post, without touching a single slider. Upload your video clips (MP4, MOV, AVI, WebM, up to 500MB), say something like "add...

0· 58·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's required credential (NEMO_TOKEN) and the declared config path (~/.config/nemovideo/) are coherent with a cloud rendering backend. The described API endpoints, upload, render, and export flows align with a remote video-processing service for adding music to videos.
!
Instruction Scope
SKILL.md instructs the agent to automatically obtain an anonymous token when no NEMO_TOKEN is present, to create sessions, store session_id, and to 'don't display raw API responses or token values to the user.' It also instructs deriving an attribution header by inspecting install paths (~/.clawhub/, ~/.cursor/skills/), which requires reading local filesystem state. These behaviors expand scope beyond simple upload/convert operations and reduce transparency about credentials and requests.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes risk from arbitrary installs or writing executables to disk.
Credentials
Only one env var is required (NEMO_TOKEN), which is proportional. However, instructions allow creating an anonymous bearer token on the user's behalf and advise hiding tokens and API responses. The skill also references a user config path and uses install-path-derived headers—these require filesystem access and leak metadata about the host environment. Requesting to 'keep tokens hidden' is unusual and reduces user visibility into what credentials are used.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It asks to store session_id for ongoing jobs and notes jobs may be orphaned if the client closes; it does not request unusual platform-wide privileges or modify other skills.
What to consider before installing
This skill appears to implement a legitimate remote video-rendering workflow, but proceed cautiously. Key points to consider before installing or using it: - It will upload your video files to a third-party backend (https://mega-api-prod.nemovideo.ai). Do not upload sensitive or private content unless you trust that service and have reviewed its privacy/security practices. - The skill auto-creates an anonymous bearer token if you don't supply NEMO_TOKEN and instructs the agent to hide raw API responses and token values. That reduces transparency—ask the publisher how long tokens/sessions persist and where session data is stored. - The runtime instructions require reading install paths to set an attribution header. If you are uncomfortable with a skill inspecting filesystem paths, do not install it. - There is no code to review and the source/homepage are unknown. Prefer skills from known publishers or request the service's documentation and privacy policy before use. If you want to proceed: set your own NEMO_TOKEN only if you trust the provider, avoid uploading private data, and ask the publisher to clarify token/session storage and the purpose of the attribution headers. If you need higher assurance, ask for the skill's source or an auditable implementation before enabling it.

Like a lobster shell, security has layers — review code before you run it.

latestvk972vnjw2zz0c9jgv98wz318bx84mzt9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments