ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tiktok

v0.1.0

Provides summaries and status updates for public Youku short drama channels and episodes, including rankings, themes, and cast information.

0· 140·0 current·0 all-time
by@codenova58
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a Youku short-drama summarizer in Chinese, but the skill metadata uses the name "Tiktok", has no homepage, and an unknown source/owner. That name/description mismatch and missing provenance are incoherent and unexplained.
Instruction Scope
The instructions are scoped to reading and summarizing public Youku pages and explicitly disclaim bulk scraping or private access. They mention dynamic rendering and suggest "manually opening then parsing" which is vague about what tooling the agent will use (browser tool, headless renderer, or HTTP fetch). This ambiguity could lead to unintended web-browsing/scraping activity if the agent has browsing abilities.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing will be written to disk by the skill package itself.
Credentials
No environment variables, credentials, or config paths are requested — this is proportionate to a public-page summarization task.
Persistence & Privilege
The skill is not marked always:true and has no apparent mechanism to persist or escalate privileges. Autonomous invocation is allowed (platform default) but not by itself a red flag here.
What to consider before installing
Do not install blindly. Ask the publisher to clarify: why is the skill named "Tiktok" while the instructions target Youku, and provide a homepage or source repository for review. Confirm which agent tools the skill will use to "open" pages (a browser plugin, headless renderer, or simple HTTP fetch) and whether the agent will obey rate limits and robots.txt. Because the skill may trigger web browsing/scraping behavior, ensure you do not grant it any credentials or elevated network access, and verify compliance with Youku's terms before using it. If you need this functionality, prefer a skill with clear provenance (homepage/repo), matching metadata, and explicit tooling/limits.

Like a lobster shell, security has layers — review code before you run it.

latestvk97388bq2pcdy901mjzhgt7tp9836xxc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments