ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tiktok Video Editor Pc

v1.0.0

edit raw video clips into TikTok-ready clips with this skill. Works with MP4, MOV, AVI, WebM files up to 500MB. TikTok creators use it for editing vertical v...

0· 48·0 current·0 all-time
by@siddylcon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (TikTok video editing) align with the behavior described in SKILL.md: session creation, file upload, SSE edits, and render/poll/export flows. The required env var NEMO_TOKEN is reasonable for a cloud API. However, the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) and metadata about install-path detection while the registry metadata said 'Required config paths: none' — an inconsistency that should be clarified.
Instruction Scope
Runtime instructions stay within video-editing scope: create session, upload user-provided files (multipart or URL), send SSE edits, poll for render results. They do instruct network calls to an external domain (mega-api-prod.nemovideo.ai) which is expected for a cloud service. Two items deserve attention: (1) instructions require auto-detecting X-Skill-Platform from the install path (this implies reading agent/install paths or environment to determine platform), and (2) the frontmatter's configPaths suggests the skill may read ~/.config/nemovideo/ — neither of which was declared in the registry as required. Otherwise the skill does not instruct broad file-system or unrelated secret access.
Install Mechanism
No install spec and no code files — the skill is instruction-only, which minimizes install-time risk (nothing is downloaded or written by an installer).
!
Credentials
The only declared credential is NEMO_TOKEN which is proportionate to a cloud editing service. However, the SKILL.md frontmatter lists configPaths (~/.config/nemovideo/) and the instructions ask to auto-detect platform from the install path; the registry metadata contradicted the config path claim. This mismatch raises a concern: the skill may expect to read a local config directory or inspect install paths without that being clearly declared. Confirm whether the agent will access that directory and why.
Persistence & Privilege
The skill is not always-on and has no install-time persistence. Autonomous invocation is allowed (platform default), which is normal. There is no evidence the skill modifies other skills or system-wide configs.
What to consider before installing
What to check before installing or invoking this skill: - Confirm the provenance of NEMO_TOKEN: only provide a token you control for this service. Do not reuse tokens/credentials from other services. - The skill will upload video files you provide to https://mega-api-prod.nemovideo.ai for processing. If you are concerned about privacy or sensitive content, test with non-sensitive sample files or a throwaway account first. - Ask the publisher (or check the source) whether the skill will read ~/.config/nemovideo/ or inspect the agent's install path. The registry metadata and SKILL.md disagree; request clarification. If you do not want local config access, deny or sanitize that permission. - Verify the domain (mega-api-prod.nemovideo.ai) is the intended backend. If you don't recognize it, treat uploads/tokens as sensitive and prefer a vetted/official integration. - Because the skill creates and uses session tokens and may re-request anonymous tokens, be cautious about leaving long-lived or high-privilege tokens in your environment variable space; use short-lived or limited-scope tokens where possible. - If you need higher assurance, request a source repository or contact info from the publisher so you can audit how the skill behaves before using it with real content.

Like a lobster shell, security has layers — review code before you run it.

latestvk974adwp1kxwj0jxaa2t6rnmkn84swmx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎬 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments