ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tiktok Video Generator Ai

v1.0.0

generate video clips or images into TikTok-ready videos with this skill. Works with MP4, MOV, JPG, PNG files up to 500MB. TikTok creators use it for generati...

0· 21·0 current·0 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (generate TikTok-ready videos) matches the instructions: the SKILL.md directs uploads and render/export calls to a cloud rendering API and requires a NEMO_TOKEN bearer token — these are coherent for a remote video-rendering service.
!
Instruction Scope
The runtime instructions direct the agent to upload user media and session state to https://mega-api-prod.nemovideo.ai, create/refresh tokens, open SSE streams, and poll for render results. Uploading user files and session data to a third-party service is expected for this feature but is a privacy/exfiltration risk — the SKILL.md does not include any user-consent or content-sensitivity checks and instructs creating/using a token that will be used for all subsequent requests.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is written to disk by an installer. This is the lowest-risk install model.
Credentials
The only declared credential is NEMO_TOKEN, which is proportionate for a third-party API. However, SKILL.md frontmatter references a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — this inconsistency should be clarified. The skill also instructs generating an anonymous token and then using it as NEMO_TOKEN; make sure you understand where (if anywhere) the token will be stored.
Persistence & Privilege
always:false and no unusual persistence or system-wide modification is requested. Autonomous invocation is allowed (platform default) — combine this with network access to the external API when considering risk.
What to consider before installing
This skill talks to a third-party service (mega-api-prod.nemovideo.ai) and will upload whatever files you give it for remote AI rendering. That matches its stated purpose, but before installing you should: (1) confirm you trust the service and its privacy/retention policies (the package has no homepage and source is unknown), (2) avoid uploading sensitive or private media, (3) clarify how and where the anonymous NEMO_TOKEN and session IDs are stored (they may grant access to your uploads), (4) note the frontmatter references ~/.config/nemovideo/ while registry metadata does not—ask the author to explain this discrepancy, and (5) consider running network monitoring or using disposable/ephemeral tokens if you test the skill. If you need stronger assurance, request the skill's source code or a reputable homepage/TOS before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk972b0ypnjv0qg1xw8b41phwsx84q269

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments