ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tiktok Video Maker Free

v1.0.0

create video clips or images into TikTok-ready clips with this tiktok-video-maker-free skill. Works with MP4, MOV, AVI, WebM files up to 500MB. TikTok creato...

0· 11·0 current·0 all-time
by@bwbernardweston18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is a cloud-based TikTok video creator and only requests a single API token (NEMO_TOKEN), which is reasonable for that purpose. However the package has no homepage or publisher information and the backend domain (mega-api-prod.nemovideo.ai) is not documented elsewhere in the registry metadata — lack of provenance reduces trust. Also the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata earlier said no required config paths, an inconsistency.
!
Instruction Scope
Runtime instructions direct the agent to obtain or use a bearer token, create sessions, upload user files (multipart file path or URL), post messages via SSE, poll render endpoints, and include three custom headers. Uploading user media to the external API is core to the skill, but the instructions assume the agent can read local file paths (e.g., -F "files=@/path") — this requires explicit user consent and access to local files. The instructions do not request other system secrets, but they do instruct network transmission of potentially sensitive media to an external, unattributed backend.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by an installer step.
Credentials
The single required environment variable (NEMO_TOKEN) is proportionate for an API-backed service. However the frontmatter's metadata includes a configPaths entry (~/.config/nemovideo/) which is not declared elsewhere; asking for or reading that path would be beyond the stated single-token requirement and is an unexplained privilege.
Persistence & Privilege
Skill is not always: true and does not request persistent system-wide privileges. It does not indicate modifying other skills or global agent settings.
What to consider before installing
This skill appears to do what it says (upload media and request renders), but proceed cautiously: 1) The publisher and homepage are missing and the backend domain (mega-api-prod.nemovideo.ai) is not verified — try to confirm the service's legitimacy before sending sensitive content. 2) The skill will transmit your video/audio/images to that external API; don't upload private or sensitive media unless you trust the service and its retention/privacy policy. 3) The SKILL.md implies the agent may need to read local file paths to upload files — ensure you only allow uploads you intend to share. 4) The frontmatter lists a config path (~/.config/nemovideo/) even though registry metadata said none — ask the developer why that path is needed and what will be stored/read there. 5) If you prefer minimal exposure, avoid setting a persistent NEMO_TOKEN; use the anonymous token flow only when you understand the service behavior. If you need higher assurance, request publisher identity, a homepage/privacy policy, or an official SDK/README from the maintainer before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97azre89w6ts6ew36jb66rd9s84eepc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments