Back to skill
Skillv1.0.0
VirusTotal security
tiktok-carousel · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:28 AM
- Hash
- 002028657eb432883b35ea26508d0d724e26a745053f13afac21634dcea6127d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tikto-automation Version: 1.0.0 The skill bundle is designed to generate images and upload them to an external service (Postiz), which requires file system and network access. While its core functionality aligns with the description, the `postiz_api_integration.py` and `scripts/upload.py` modules accept arbitrary file paths for upload, and `tiktok_content_gen.py` accepts arbitrary paths for local file writes. If an AI agent were to call these scripts with unsanitized user input, it could lead to arbitrary file upload or local file write vulnerabilities, allowing an attacker to potentially exfiltrate arbitrary files or overwrite system files. There is no clear evidence of intentional malicious behavior (e.g., hardcoded exfiltration of sensitive files, backdoors, or explicit prompt injection against the agent to perform harmful actions), but the broad file access capabilities without explicit input sanitization make it suspicious.
- External report
- View on VirusTotal