ClawHub

TikTok Streak Bot

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed TikTok messaging bot, but it stores reusable account cookies in a plain local file and can send scheduled messages automatically, so users should review it carefully before installing.

Install only if you are comfortable giving the skill an authenticated TikTok session and allowing scheduled messages from your account. Use a dedicated or low-risk account, keep data/cookies.json out of shared folders and source control, remove or rotate the session after use, review the recipient list and daily limit before enabling the schedule, and consider TikTok account or policy consequences from automated messaging.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The overview describes automated TikTok messaging using browser simulation, cookie-based session management, and scheduled daily execution, but provides no warning about privacy, platform-policy, or account-security implications. This omission can mislead users into running automation that exposes session cookies, triggers account restrictions, or sends messages without sufficient consent and operational safeguards.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This code persists authenticated TikTok session cookies to a local JSON file without any indication of user consent, disclosure, or protection controls in this file. Stored session cookies are sensitive secrets; if the host, workspace, logs, backups, or shared skill data are accessed by another party, an attacker could reuse them to hijack the TikTok account session without needing credentials or MFA.

Missing User Warnings

High
Confidence
92% confidence
Finding
This manifest explicitly combines automated messaging, persistent file reads/writes, scheduled execution, and network access, but provides no warning or consent language about privacy risks, account actions, or automated outbound behavior. In the context of a TikTok messaging bot, that omission is dangerous because users may unknowingly enable spam-like actions, expose account/session data such as cookies, or trigger account penalties and privacy harm through unattended operation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to export and store authenticated TikTok cookies, which are effectively session credentials that can grant direct account access if copied or leaked. Because this skill relies on browser automation and local file storage, the absence of explicit handling and storage warnings increases the chance that users will save reusable authentication material insecurely, exposing the account to takeover.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal