clawbus-tiktok-publish
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: clawbus-tiktok-publish Version: 1.0.0 The skill bundle provides a legitimate interface for publishing videos to TikTok via the MyBrandMetrics API (api.mybrandmetrics.com). The Python scripts (publish_tiktok.py and check_status.py) are well-structured, follow the documented purpose, and contain no evidence of obfuscation, credential theft, or unauthorized execution. While the scripts can read local files for upload, this is a core feature of the skill and is handled through standard multipart/form-data requests to the designated API endpoint.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with PUBLIC privacy, the agent can create a public TikTok post from the provided video and title.
The skill can upload a selected local video and publish it publicly. This is purpose-aligned for a TikTok publisher, but it is a high-impact action users should invoke deliberately.
python3 .../publish_tiktok.py --source "/root/.openclaw/workspace/videos/my_video.mp4" --title "Hello from local file" --privacy-level "PUBLIC" --wait-for-published
Use SELF_ONLY for tests, confirm the source file or URL and title before publishing, and only use PUBLIC when you intend the post to go live.
Anyone who can access the configured API key may be able to publish through the connected account, depending on the provider's permissions.
The script requires an API key or authorization token to act through the TikTok/MyBrandMetrics account. This is expected for the integration, but it grants delegated publishing authority.
api_key = config.get('tiktok', {}).get('api_key') or config.get('tiktok', {}).get('authorization_token')Store the API key securely, avoid committing it to files or repositories, and use the least-privileged key available for publishing.
A user may expect environment variables to work, but the scripts as provided will look for credentials in the configured JSON file instead.
The documentation claims environment variable support, but the provided scripts only load the config file path and do not read those environment variables. This appears to be a documentation mismatch rather than hidden behavior.
Environment variables take precedence over values from config.json.
Verify credential loading before use; if relying on environment variables, update the script or provide the expected config.json file.