Back to skill
Skillv1.0.4
VirusTotal security
TikTok Content Pipeline · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:49 AM
- Hash
- a8037db424488100e81220c3b9a8645da81207dc39e8e5ba8591ac29304b4f7b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tiktok-content-pipeline Version: 1.0.4 The skill is classified as suspicious due to its extensive use of `child_process.execSync` for external CLI interaction (Postiz CLI) and dynamic module loading (`require`) based on user-controlled input (template names). While the code demonstrates a clear and consistent effort to mitigate shell injection and path traversal risks through robust input sanitization and a custom `_shellEscape` function in `cli.js`, `core/AnalyticsEngine.js`, and `core/Publisher.js`, these primitives inherently increase the attack surface for potential vulnerabilities. The 'auto-improve' and 'auto-post' features, while documented, grant significant control over account configurations and publishing, which could be abused if the underlying defenses were to fail. There is no evidence of intentional malicious behavior like data exfiltration or unauthorized persistence.
- External report
- View on VirusTotal