ClawAudit verdict

tiktok-video-maker

lovelybots-video

45
๐ŸŸ  Risky
Significant concerns โ€” only install if you understand the risks

The skill uses an API key for authentication, which could potentially lead to security risks if not properly validated.

โš  Flagged for review โ€” coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.

Automated static analysis โ€” not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

93
security
70
transparency
70
maintenance

Findings (2)

Coarse signal โ€” prose, single-step high

Instruction-prose smuggling shape detected: collects a sensitive target ("Bearer token") and emits it outward ("send"). Phrased as prose with no trigger tokens โ€” a semantic prompt-injection / data-exfil pattern the syntactic scanners can't see. Final tier capped at Caution; review the instructions before installing.

SKILL.md ยท | Problem | Likely Cause | Fix | |---|---|---| | `401 Invalid or expired API token` | Missing/incorrect Bearer token | Regenerate token at `https://lovelybots.c

Pattern match low

References tunneling service

PUBLISH.md ยท prose ยท downgraded ยท ngrok

Permissions & capabilities

Requires 1 environment variable. (1 sensitive: LOVELYBOTS_API_KEY). Requires 2 system binaries. (1 elevated: curl).

network_outcredential_access

Is this flag fair?

Check another skill Browse the registry Auditing your own skills or configs? Use the API