ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tiktok Scraper

v0.1.0

Discover and scrape TikTok profiles by location and category with browser simulation, stealth, proxy support, and exportable JSON/CSV data including thumbnails.

0· 81·0 current·0 all-time
by@arulmozhiv
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (TikTok profile discovery + scraping) align with the SKILL.md content: browser simulation, proxies, fingerprinting, thumbnail downloads, JSON/CSV exports. However, the SKILL.md declares runtime dependencies (python3, chromium, Playwright-style behavior) and references a ScrapeClaw project, while the registry metadata lists no required binaries, no install spec, and provides no source/homepage — an incoherence between claimed capabilities and what the package actually provides.
!
Instruction Scope
Runtime instructions expect reading/writing config files (config/scraper_config.json), creating data/output, data/queue and thumbnails directories, using Google Custom Search API (optional) and residential proxies, and running commands like discover/scrape. The skill will interact with external services (Google APIs, TikTok, proxy providers) and download content (profile images, thumbnails). The SKILL.md implicitly assumes a local scraper implementation is present and that credentials (proxy auth, Google API key) will be supplied, but none of those credentials/config paths are declared in the package metadata. Because the package contains no code, it's unclear which binaries/commands will actually run or how data/credentials are handled.
!
Install Mechanism
There is no install spec and no code files — the skill is instruction-only — yet SKILL.md lists required runtime bins (python3, chromium) and describes complex functionality (Playwright-like browser stealth, proxy integration, resume queues). That mismatch is risky: an agent following these instructions may assume or attempt to use software that isn't provided or described, and there is no trusted source (no homepage or repository) for obtaining the implementation. Absence of an install mechanism prevents auditing of the actual scraper code and dependencies.
!
Credentials
Registry metadata declares no required environment variables or primary credentials, but the SKILL.md expects optional Google API credentials and residential proxy credentials (implied). It also reads/writes local config and output paths. The package does not declare these secrets/config requirements, which is an inconsistency: the skill will likely require credentials (proxy provider keys, Google API key) to function, yet they are not listed in metadata for review or gating.
Persistence & Privilege
always:false and no special platform privileges are requested. The skill intends to write local files (queues, outputs, thumbnails) and maintain resume state in data directories — this is expected for a scraper. It does not request to persistently enable itself or alter other skills. However, because it can be invoked autonomously by default, combining autonomous invocation with the above inconsistencies increases risk until the implementation is validated.
What to consider before installing
This skill's behavior and requirements are plausible for a TikTok scraper, but the package is instruction-only and missing the implementation, install steps, and declared credential needs. Before installing or enabling it: 1) Request the source repository or a verified release (so you can inspect code and dependencies). 2) Require an explicit install spec (pip/Playwright install steps, browser binaries) and a manifest of required environment variables (proxy keys, Google API key) so you know what secrets will be used. 3) Inspect the code for network destinations and any exfiltration logic (where scraped data or credentials might be sent). 4) Run in a sandboxed environment (isolated VM/container) and avoid granting autonomous invocation until you review the implementation. 5) Consider legal/TOS implications of scraping TikTok and costs/legitimacy of residential proxy providers. If the publisher cannot produce a verifiable source and a proper install/credential manifest, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk972pm0kf7y7x6x8aff921j6ns83dvq7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments