ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tiktok Bulk Publisher Test

v1.0.0

Automate bulk uploading and publishing of TikTok videos with customizable titles, privacy, comment/duet/stitch controls, and upload status checks.

0· 69·0 current·0 all-time
by@fly3094
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name, README, SKILL.md, and code all align with a TikTok bulk-publisher (upload, chunked upload, finalize, status). However the registry metadata claims no required environment variables or primary credential while SKILL.md and the code expect TikTok credentials (client key, secret, access token). That mismatch is unexpected and reduces transparency.
Instruction Scope
SKILL.md instructions stay within the stated purpose: they describe exporting TIKTOK_CLIENT_KEY / TIKTOK_CLIENT_SECRET / TIKTOK_ACCESS_TOKEN and running the Python script or using its Python API. The instructions don't ask the agent to read unrelated system files or exfiltrate arbitrary data.
Install Mechanism
There is no install spec (instruction-only), which is low risk. A code file (tiktok_publisher.py) and package.json are included; package.json references a GitHub repo and installation via 'npx clawhub install' but no automated installer is declared. This is not itself malicious but inconsistent and worth verifying.
!
Credentials
The code and SKILL.md require TikTok credentials (client key/secret and access token) — these are appropriate for the stated purpose. The concern is that the registry metadata omitted declaring any required env vars/primary credential, meaning users may not be warned by the registry about needing to supply sensitive tokens. Verify scope and origin before providing credentials.
Persistence & Privilege
The skill does not request 'always: true' or other persistent privileges, and does not attempt to modify other skills or system-wide settings. Agent autonomous invocation is allowed by default (normal).
What to consider before installing
This skill's code and SKILL.md legitimately require TikTok credentials (client key, client secret, access token), but the registry metadata does not declare them — that's a transparency/information mismatch. Before installing: (1) verify the skill source (follow the repository URL in package.json or contact the author); (2) review the included tiktok_publisher.py yourself or have someone you trust inspect it; (3) only provide short-lived or scopped test tokens (and avoid reusing production credentials); (4) run in an isolated environment (container or VM) if possible; (5) ensure tokens are revocable and grant only required scopes (video.publish, user.info.basic); and (6) if you cannot verify the author/source, decline to install or treat it as untrusted code. If you want, I can list the exact lines in tiktok_publisher.py that handle tokens and network calls for an additional review.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dmseyddnwrdyt7ad3m6p14d838j6x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments