Skillv1.0.0

ClawScan security

AI Tiktok Script Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 11:40 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (generate viral TikTok scripts) matches its high-level instructions, but it references third-party scraping/video services (Apify, InVideo) without declaring required credentials or concrete integration steps, creating an unclear and potentially excessive external-access requirement.
Guidance: This skill appears to do what it says (generate TikTok scripts using trend data), but the SKILL.md references Apify and InVideo without specifying how they are called or what API keys/account access is required. Before installing or enabling: 1) Ask the author whether the skill will call Apify/InVideo programmatically and which API keys or accounts it needs; 2) Confirm where scraped TikTok data is fetched from and whether any private or PII-containing data could be collected or stored; 3) If you must provide API keys, use scoped keys and consider creating service accounts with limited permissions; 4) Check platform policy and TikTok terms regarding scraping; 5) Prefer a version that documents concrete endpoints, required env vars, and data handling (storage/retention) so you can judge proportionate access. If the author cannot clarify these points, treat the skill as higher risk and avoid granting credentials or network access.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes generating 10 TikTok scripts using scraped trend data and suggests Apify and InVideo as the data and production sources — that matches the stated purpose. However, the manifest declares no required credentials or dependencies even though Apify/InVideo integrations typically require API tokens or accounts. This mismatch is likely an omission or sloppy documentation rather than outright maliciousness, but it is unexplained.
Instruction Scope: noteInstructions tell the agent to 'Scrape top 50 viral TikToks' and to extract trend data and sounds. The guidance is high-level and does not show exact commands, endpoints, or where scraped data would be sent. While scraping and trend-analysis are within scope for the described goal, the vague instructions give the agent broad discretion about how to collect and transmit data (which external endpoints, whether to use Apify actors or public scraping, how to store results).
Install Mechanism: okThere is no install spec and no code files; the skill is instruction-only. This minimizes filesystem or installation risk because nothing in the bundle will be written or executed on install.
Credentials: noteThe skill declares no required environment variables or primary credential, yet it explicitly references third-party services (Apify and InVideo) that generally require API keys/accounts to use programmatically. The absence of declared credentials is an inconsistency: either the skill expects public web scraping (no credentials) or the author omitted necessary API requirements. This should be clarified before use.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request permanent presence or elevated platform privileges. Autonomous invocation is allowed (default), but that alone is not a new concern here.