ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Editor Ai Tiktok

v1.0.0

edit raw video clips into TikTok-ready clips with this editor-ai-tiktok skill. Works with MP4, MOV, AVI, WebM files up to 500MB. TikTok creators use it for e...

0· 57·0 current·0 all-time
by@vcarolxhberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, accepted file types, and required NEMO_TOKEN align with a cloud video-editing backend. Requiring a single NEMO_TOKEN is appropriate for the stated purpose. However, the skill also instructs detection of an install path (~/.clawhub/ or ~/.cursor/skills/) to set an attribution header; that filesystem probing is not strictly necessary for editing and is undocumented in the metadata.
!
Instruction Scope
SKILL.md directs the agent to POST user media and metadata to https://mega-api-prod.nemovideo.ai and to automatically obtain an anonymous NEMO_TOKEN if none is present (generate UUID, call /api/auth/anonymous-token and treat returned token as NEMO_TOKEN). It also instructs reading/detecting the agent's install path to set X-Skill-Platform. Automatic token acquisition and implicit filesystem reads expand the agent's runtime scope beyond simple request/response editing and could lead to unexpected uploads or token storage without explicit user consent.
Install Mechanism
No install spec or code is provided (instruction-only), so nothing is written to disk by the skill itself. This minimizes installer-side risk.
Credentials
Only one declared credential (NEMO_TOKEN) is required, which is proportional to a cloud API client. The instruction to auto-create and use an anonymous token (and to treat that token as NEMO_TOKEN) implies the skill may populate or rely on an env-var at runtime; where/how that token is persisted is not specified.
Persistence & Privilege
Skill is not always:true and does not request elevated platform privileges. There is no install behavior that claims to modify other skills or global agent config. The main persistence risk is implicit: token acquisition and possible storage/persistence of the returned token are not described.
What to consider before installing
This skill appears to call an external cloud service to edit and export your videos. Before using it, consider: 1) The skill will upload your media to https://mega-api-prod.nemovideo.ai — do not send sensitive or private videos unless you trust that endpoint and its privacy policy. 2) If you do not provide NEMO_TOKEN, the skill will automatically request an anonymous token on your behalf (calls /api/auth/anonymous-token) and treat that as NEMO_TOKEN; confirm you are comfortable with automatic token acquisition and possible token persistence. 3) The skill asks the agent to detect its install path (~/.clawhub / ~/.cursor/skills) to set attribution headers—this implies a filesystem check that you may want to be aware of. 4) The package has no homepage or known source listed; consider verifying the service domain and operator before uploading content or providing credentials. If you proceed, prefer providing a token you control (and understand its scope/expiration) rather than relying on the anonymous flow, and avoid uploading any media you would not want processed by an external third party.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cpps68xgv1pxg62dwv1qbxn84k9gn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments