Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Photo Video Tiktok
v1.0.0Skip the learning curve of professional editing software. Describe what you want — turn these photos into a TikTok video with music and transitions — and get...
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description align with its runtime instructions to upload images and request rendered MP4s from a cloud backend. Requesting a single NEMO_TOKEN credential is proportionate for a cloud video service. However the SKILL.md frontmatter declares a config path (~/.config/nemovideo/) while the registry metadata lists no required config paths — that mismatch is unexplained and could indicate the skill expects to read local configuration files.
Instruction Scope
Instructions instruct the agent to check NEMO_TOKEN, and if absent to call an anonymous-token endpoint and use the returned token. They also specify deriving attribution headers (including X-Skill-Platform) by detecting the skill install path (e.g., ~/.clawhub/, ~/.cursor/skills/) and refer to a local config path in the YAML frontmatter. Asking the agent to inspect install paths or local config directories goes beyond simply sending user-provided images and could access local state unrelated to converting photos to video. Other actions (uploads, SSE, polling renders) are within the stated purpose.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — low install risk. Nothing will be downloaded or written by an automatic installer per the provided metadata.
Credentials
Only NEMO_TOKEN is declared as required, which is reasonable. But the frontmatter also lists a config path (~/.config/nemovideo/) that was not declared in the registry 'Required config paths' field — an unexplained additional local access. The skill also instructs creation and use of an anonymous token if NEMO_TOKEN is missing (reasonable), but the need to read install/config paths to compose headers is not justified by the description.
Persistence & Privilege
The skill is not marked 'always' and is user-invocable. It relies on ephemeral session tokens and API calls. There is no evidence it requests ongoing elevated privileges or modifies other skills or system-wide settings.
What to consider before installing
This skill appears to do what it claims (upload photos, call a cloud render API, return a video) and only needs a NEMO_TOKEN, but there are two things to check before installing or using it: (1) Metadata mismatch — the SKILL.md frontmatter references a local config directory (~/.config/nemovideo/) and asks the agent to detect the install path to set an attribution header. Ask the author why the skill needs to inspect local install/config paths and whether any files there are read. (2) Network endpoints — this skill will POST images and create sessions at https://mega-api-prod.nemovideo.ai; confirm you trust that domain and review its privacy/retention policy before uploading sensitive images. Practical precautions: provide only non-sensitive test images at first, avoid supplying real account credentials (use the anonymous token flow if available), and request clarification from the publisher about the config path and header derivation behavior. If the author confirms the config path is unused or optional, the concerns here are minor; if not, consider this a privacy risk.Like a lobster shell, security has layers — review code before you run it.
latestvk97ajndhth3zkyy92bpx60rdp184n6rz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📸 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN