ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tiktok Video

v1.0.0

TikTok creators create raw video footage into TikTok-ready clips using this skill. Accepts MP4, MOV, AVI, WebM up to 500MB, renders on cloud GPUs at 1080p, a...

0· 63·0 current·0 all-time
by@vynbosserman65
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to perform cloud GPU video rendering and only requests a single service credential (NEMO_TOKEN), which matches the described functionality. However the SKILL.md frontmatter lists a config path (~/.config/nemovideo/) while the registry metadata earlier lists no required config paths — that's an internal mismatch worth clarifying (where will it store session tokens/config?).
!
Instruction Scope
The instructions direct the agent to call an external API (mega-api-prod.nemovideo.ai), create anonymous tokens if no NEMO_TOKEN is present, upload video files (local paths or URLs), save session_id, and auto-detect an install path to set X-Skill-Platform. These are expected for a remote render service, but the guidance is vague about where session data is persisted and when local paths are accessed. Auto-detecting install path may cause the agent to inspect local filesystem locations.
Install Mechanism
This is instruction-only with no install spec or code to download or run. That reduces risk compared to skills that fetch arbitrary binaries.
Credentials
Only NEMO_TOKEN is declared as required, which is proportionate for an integration with an external rendering API. The SKILL.md also documents how to obtain an anonymous token if none is present, and the frontmatter's configPaths (not declared elsewhere) suggests the skill may read/write a local config directory — this should be clarified.
Persistence & Privilege
The skill asks the agent to save session_id and may persist session state (implied config path). It is not always-enabled and does not request broad system privileges, but you should confirm where credentials/session data are stored and how long they persist.
What to consider before installing
This skill appears to be a wrapper for an external video-rendering API (mega-api-prod.nemovideo.ai). Before installing or providing files: 1) Verify the service/provider (no homepage or source is listed); 2) Decide whether you trust sending your raw videos to that external host; 3) Prefer generating and supplying your own NEMO_TOKEN rather than allowing anonymous token generation if you want tighter control; 4) Ask the developer where session_id and tokens are stored (SKILL.md mentions ~/.config/nemovideo/ in frontmatter but registry metadata did not) and whether those files are encrypted or scoped to this skill; 5) Don't install if you cannot confirm the domain's legitimacy or privacy policy. If you want to proceed, limit the content you upload (no sensitive videos) and consider revoking any tokens after use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cjmskgh8x08bknths32qfr584j9f3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments