Skillv1.0.0

ClawScan security

TikTok Ads Strategy: Creative-First Campaigns and Optimization · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 1:52 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: An instruction-only TikTok ads strategy guide that is internally consistent with its stated purpose; it does not request credentials or install code, but it does reference a local CLI check (adkit status) which the agent might try to run if available.
Guidance: This skill is essentially a human-readable TikTok ads playbook and appears coherent. Before enabling or allowing autonomous use, consider: (1) The SKILL.md suggests running 'adkit status' — if you have an adkit binary installed, the agent could run it and that binary might access stored tokens; only allow that if you trust the local CLI. (2) The skill does not ask for credentials, but any local tooling it invokes could. (3) Because it’s instruction-only, no code will be installed by the skill itself — verify any external tooling (AdKit) you choose to use separately. If you prefer tighter control, disable autonomous execution or confirm with the agent before it runs any local commands or accesses any third-party CLIs.

Review Dimensions

Purpose & Capability: okThe name and description (TikTok ad strategy, formats, creative guidance, targeting, bidding, optimization) match the SKILL.md content. Nothing in the skill requests unrelated cloud credentials, system-level access, or capabilities beyond ad strategy and execution guidance.
Instruction Scope: noteThe instructions are mostly advisory and stepwise for TikTok Ads Manager. They do include a runtime check: 'run adkit status' and a conditional to use AdKit CLI if present. This is within the scope of 'execution' guidance, but it instructs the agent to run a local command if available, which could cause the agent to interact with a local binary and any credentials that binary already holds.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — the lowest-risk install profile. The only external reference is a homepage (https://adkit.so) mentioned as an optional tool; the skill does not attempt to download or execute code from that site.
Credentials: noteThe skill declares no required environment variables or credentials, which is appropriate for a strategy guide. Caveat: if the agent follows the SKILL.md and invokes an installed AdKit CLI, that CLI may use local credentials or tokens already stored on the machine; the skill itself does not request or enumerate those secrets.
Persistence & Privilege: okalways is false and there are no installation hooks or requests for persistent presence. The skill is user-invocable and can be invoked autonomously (default behavior), which is normal for skills and not by itself concerning.