ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TikTok Live Monitor

v1.0.0

TikTok Live stream monitoring and recording automation. Uses Playwright for visual detection and network traffic monitoring to capture FLV stream URLs. Suppo...

0· 65·1 current·1 all-time
by@kikikari

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kikikari/tiktok-live-mon.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "TikTok Live Monitor" (kikikari/tiktok-live-mon) from ClawHub.
Skill page: https://clawhub.ai/kikikari/tiktok-live-mon
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install tiktok-live-mon

ClawHub CLI

Package manager switcher

npx clawhub@latest install tiktok-live-mon
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with included code: Playwright-based detection plus streamlink/yt-dlp fallbacks. However the registry/metadata claims no required binaries while the SKILL.md and scripts clearly require Node.js, Playwright/Chromium, and optionally streamlink, yt-dlp, python3, and jq. That mismatch (missing declared dependencies) is a packaging/information consistency issue.
!
Instruction Scope
SKILL.md tells the agent to run the included Node scripts, which in turn monitor network traffic and invoke local helper scripts. The code listens to network responses (only TikTok URLs) and writes logs to /tmp. The bigger concern: the Node code uses child_process.exec to call bash with unescaped user-provided values (username, quality) which creates a command-injection risk if those values are attacker-controlled. The shell scripts use eval and perform unescaped string interpolation as well. While these actions are within the scope of extracting streams, the lack of input sanitization is a security issue.
Install Mechanism
No install spec; this is instruction-plus-code only and does not download arbitrary code at install time. That reduces supply-chain risk. The runtime does require Playwright/Chromium and external CLI tools (streamlink, yt-dlp) but nothing in the package fetches remote archives or runs network installers.
Credentials
The skill requests no environment variables or credentials. The code does not attempt to read hidden credentials or unrelated system config. This is proportionate to its stated purpose.
Persistence & Privilege
The skill is not marked always:true and does not try to modify other skills or system-wide agent settings. It runs as invoked and writes only to temporary files for yt-dlp logging; no persistent privileged presence is requested.
What to consider before installing
This skill appears to do what it says (detect TikTok live streams and extract FLV URLs), but there are two practical risks to consider before installing or running it: 1) Missing dependency declarations: The registry metadata lists no required binaries, but the SKILL.md and scripts require Node.js (16+), Playwright/Chromium, and optionally streamlink, yt-dlp, python3, and jq. Make sure those tools are present and up-to-date in a controlled environment. 2) Command injection vulnerability: The Node code uses child_process.exec to run the included shell scripts and interpolates username/quality directly into the shell command. If an attacker can control those inputs (or you run with untrusted usernames), they could execute arbitrary shell commands. Mitigations: run the skill only in an isolated container or VM, avoid passing untrusted input, or patch the code to use safer child_process APIs (spawn with argument arrays or properly escape/sanitize inputs). Other recommendations: review the included scripts yourself, run the tool under a non-privileged account, and consider restricting autonomous invocation until you've validated it in a sandbox. If you need higher assurance, request a version that properly escapes shell arguments and documents all runtime dependencies.

Like a lobster shell, security has layers — review code before you run it.

latestvk9795p7ew01410rcmwr6y26t61853tp3monitoringvk9795p7ew01410rcmwr6y26t61853tp3playwrightvk9795p7ew01410rcmwr6y26t61853tp3tiktokvk9795p7ew01410rcmwr6y26t61853tp3
65downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@kikikari
latestmonitoringplaywrighttiktok
Download

TikTok Live Monitor

Automated TikTok Live stream monitoring with Playwright-based visual detection.

Features

  • Visual Detection: Uses Chromium/Playwright to detect live status (red border around profile)
  • Stream URL Extraction: Captures FLV stream URLs from network traffic
  • Automatic Recording: Saves streams to disk when live
  • Notifications: Alerts when stream goes live/offline

Usage

# Check if user is live
node check-profile.js @username

# Get stream URL
node get-stream.js @username

Requirements

  • Node.js 16+
  • Playwright with Chromium

Comments

Loading comments...