ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Best Tiktok Video Editor

v1.0.5

The best-tiktok-video-editor skill on ClawHub transforms raw footage into scroll-stopping TikTok content through a simple back-and-forth conversation. Trim d...

0· 97·0 current·0 all-time
by@udnerc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's requests (an API token and a per-user client_id persisted to ~/.config/nemovideo/) are consistent with a cloud video-editing service. However, the registry metadata declares NEMO_TOKEN as a required env var while the SKILL.md states a token can be auto-generated; this mismatch is inconsistent and could lead to confusion about what the agent truly needs from the user.
Instruction Scope
SKILL.md directs the agent to read/write ~/.config/nemovideo/client_id, to call the external API (https://mega-api-prod.nemovideo.ai) via curl, and to persist a Client-Id. Those actions are within the expected scope for a cloud editor, but the skill also mandates proactive greeting behavior and session setup on first contact — small behavioral controls that are not harmful but are broader than purely 'edit the video' instructions. The instructions do not attempt to read unrelated system files.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — nothing is downloaded or written beyond the explicit client_id file mentioned in SKILL.md. That minimizes install-time risk.
!
Credentials
The declared primary credential (NEMO_TOKEN) is appropriate for a remote editing service. The concern is twofold: (1) the registry lists NEMO_TOKEN as required while SKILL.md describes auto-generating an anonymous token if none is provided (inconsistency), and (2) the skill writes a file to ~/.config/nemovideo/ which, while described as only containing a UUID, is still persistent disk access. SKILL.md references additional env vars (NEMO_API_URL, NEMO_WEB_URL, NEMO_CLIENT_ID, SKILL_SOURCE) that are not listed as required in the registry — this is not inherently malicious but is another mismatch to note.
Persistence & Privilege
always:false and normal autonomous invocation are fine. The only persistent change is writing ~/.config/nemovideo/client_id (a UUID) to avoid rate limits; the skill does not request elevated system privileges nor does it modify other skills' configuration. This file write is expected behavior but is a persistent artifact to be aware of.
What to consider before installing
This skill appears to be a legitimate frontend for a cloud video-editing API, but check these before installing: 1) Confirm you are comfortable the agent will upload videos to https://mega-api-prod.nemovideo.ai / nemovideo.com and that their privacy policy is acceptable. 2) Understand the skill will create ~/.config/nemovideo/client_id (a UUID) — this is persistent on disk. 3) Note the inconsistency: the registry marks NEMO_TOKEN as required, but SKILL.md says it can auto-generate an anonymous token; decide whether you prefer to provide your own token or let the skill fetch one. 4) Only provide a personal or sensitive API token if you trust nemovideo.com; anonymous tokens are temporary (7 days) per the skill. 5) If you need higher assurance, inspect the publisher repository (https://github.com/nemovideo/nemovideo_skills) and confirm the API endpoints and behavior match your expectations before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ed8jrr1d7jsx30z4kqmext583wzcf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments