Skillv3.0.0

ClawScan security

TikTok · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 5:13 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an internally consistent, local-first TikTok content authoring and analytics helper: it stores JSON files under your home directory and contains only CLI scripts and guidance with no network access or credential requests.
Guidance: This skill appears to do what it says: generate and save TikTok ideas, hooks, scripts, and simple analytics locally. Before installing, consider: (1) It will create and update files at ~/.openclaw/workspace/memory/tiktok (profile, content_bank, analytics, pattern_report) — data is stored unencrypted as JSON. (2) Review the included scripts if you are concerned about privacy or exfiltration; these scripts perform only local file I/O and display output. (3) Avoid logging sensitive or personally identifiable data into the analytics or content files. (4) Run the Python scripts in a controlled environment (virtualenv) if you plan to execute them. (5) Because the agent can invoke skills autonomously by default, only enable/use this skill if you are comfortable with the agent creating or updating those local files. If you'd like, I can point out exact lines where files are read/written or help you modify the storage path or add encryption.

Purpose & Capability: okThe name/description (TikTok Growth OS) matches the included scripts and documentation: scripts implement profile management, saving/browsing content, logging performance, and summarizing patterns. Nothing in the manifest or code asks for unrelated capabilities (cloud credentials, platform APIs, posting automation).
Instruction Scope: okSKILL.md scopes behavior to local content generation, optional local saving, and using locally logged analytics. Instructions do not direct reading of unrelated system files, network calls, scraping, or posting; they explicitly state 'No API, no posting, no platform automation.'
Install Mechanism: okNo install spec is present (instruction-only). The package includes only small Python scripts and reference docs; there are no downloads, external installers, or archive extraction steps.
Credentials: okThe skill declares no required environment variables, binaries, or credentials. The only persistent state is written to ~/.openclaw/workspace/memory/tiktok — consistent with the stated local-memory behavior.
Persistence & Privilege: okalways is false and the skill does not request system-wide changes. It writes only to its own subdirectory under the user's home and does not modify other skills or system configs.