TikTok Agent Publisher
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A live publish could post public content from the user's TikTok account.
The skill can publish content to a TikTok account, which is a high-impact external action, but the stated purpose and dry-run framing make this disclosed and purpose-aligned.
Prepare, validate, and explicitly publish TikTok content through the official Content Posting API with dry-run safety.
Use dry-run, manifest, connection status, and privacy-audit flows first; require explicit user approval before any live publish.
The underlying tool may need account authorization that can affect the user's TikTok account.
OAuth access is expected for official TikTok publishing, and the skill also warns not to print OAuth tokens or private user data.
TikTok OAuth readiness
Authorize only the intended TikTok account, review requested scopes, and avoid exposing tokens in chat or logs.
Running the setup command executes code from the npm package available at install time.
The instruction runs an npm package by name without a pinned version; this is normal setup documentation but means the reviewed artifacts do not include the package code that will run.
`npm exec --yes --package=tiktok-agent-publisher -- tiktok-agent-publisher doctor`
Verify the npm package and repository before running npx/npm exec, and prefer a pinned version if reproducibility matters.
Queued publishing work could occur later if the underlying tool supports persistent job execution.
Queued jobs are disclosed as an agent surface and are plausible for publishing workflows, but users should understand whether queued work can persist or run later.
queued jobs
Review queue status and cancellation controls, and do not leave jobs queued unless the user explicitly wants them.