clawbus-tiktok-publish
PassAudited by ClawScan on May 10, 2026.
Overview
This skill does what it claims—publishes user-selected videos to TikTok through MyBrandMetrics—but users should be aware it needs an API key and can create public posts.
Install only if you trust the MyBrandMetrics API integration and intend to let the agent publish TikTok videos. Keep the API key secure, test with SELF_ONLY privacy first, and review the exact video source, title, and privacy setting before publishing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with PUBLIC privacy, the agent can create a public TikTok post from the provided video and title.
The skill can upload a selected local video and publish it publicly. This is purpose-aligned for a TikTok publisher, but it is a high-impact action users should invoke deliberately.
python3 .../publish_tiktok.py --source "/root/.openclaw/workspace/videos/my_video.mp4" --title "Hello from local file" --privacy-level "PUBLIC" --wait-for-published
Use SELF_ONLY for tests, confirm the source file or URL and title before publishing, and only use PUBLIC when you intend the post to go live.
Anyone who can access the configured API key may be able to publish through the connected account, depending on the provider's permissions.
The script requires an API key or authorization token to act through the TikTok/MyBrandMetrics account. This is expected for the integration, but it grants delegated publishing authority.
api_key = config.get('tiktok', {}).get('api_key') or config.get('tiktok', {}).get('authorization_token')Store the API key securely, avoid committing it to files or repositories, and use the least-privileged key available for publishing.
A user may expect environment variables to work, but the scripts as provided will look for credentials in the configured JSON file instead.
The documentation claims environment variable support, but the provided scripts only load the config file path and do not read those environment variables. This appears to be a documentation mismatch rather than hidden behavior.
Environment variables take precedence over values from config.json.
Verify credential loading before use; if relying on environment variables, update the script or provide the expected config.json file.