TokPortal
WarnAudited by ClawScan on May 10, 2026.
Overview
TokPortal is clear about its purpose, but it gives an agent broad power to create and publish social media accounts/content at scale, spend credits, upload files, and retrieve account credentials.
Install only if you trust TokPortal and the tokportal-mcp npm package. Use a limited API key if available, pin or review the MCP package, and do not allow autonomous bulk creation, publishing, uploads, credit-spending, or credential-retrieval actions without explicit confirmation.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly or too autonomously, the agent could create accounts, configure profiles, publish or schedule content, upload media, and consume paid credits.
The skill explicitly grants broad mutation authority over external social media operations, including account creation, publishing, configuration, scheduling, and uploads, without documenting confirmation or scope limits for high-impact actions.
giving your AI agent full control over TikTok and Instagram operations at scale
Require explicit user approval for create, bulk-create, publish, finalize, upload, and credit-spending actions; set spending and account-count limits; and prefer dry-run previews before execution.
An agent or anyone with access to the API key could retrieve login details and verification codes for social media accounts.
The skill exposes delivered-account credentials and verification codes, which are high-privilege identity artifacts. The artifacts do not describe safeguards for when these are retrieved, displayed, stored, or shared.
`get_account_detail` — Full credentials + TokMail email for an account - `get_verification_code` — Retrieve the latest 6-digit verification code
Use the least-privileged TokPortal key available, restrict who can invoke credential tools, avoid logging or saving returned credentials, and require explicit user approval before retrieving verification codes or account passwords.
A compromised or changed npm package could affect local execution or misuse the configured API key.
The setup relies on an external npm MCP package that is not included in the reviewed artifacts and is not version-pinned. This is expected for the stated MCP integration, but the package will run locally and receive the TokPortal API key.
npm install -g tokportal-mcp ... "command": "npx", "args": ["-y", "tokportal-mcp"]
Verify the npm package source, pin a known-good version where possible, review the MCP server code before use, and rotate the API key if the package is no longer trusted.
Local videos or images selected for upload may become accessible through TokPortal-hosted public URLs.
The MCP tools can transmit selected local media to TokPortal and return public URLs. This is purpose-aligned for social media uploads, but users should understand the data boundary.
`upload_video` — Upload a local video file, returns a public URL
Upload only media intended for publication, check file paths carefully, and require confirmation before sending local files to the provider.
One bad prompt or agent decision could create many accounts, schedule many videos, or spend many credits before the user notices.
The skill encourages bulk operations across multiple accounts and videos. A mistaken instruction or over-broad autonomous action could multiply costs and public-facing changes.
`create_bulk_bundles` — Performance Max: create multiple bundles at once ... "Create 10 TikTok accounts in France with 3 videos each"
Set conservative batch limits, require per-batch confirmation, preview total credit cost and affected accounts, and monitor actions after each bulk request.