ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Brand Protection Tiktok

v0.1.0

TikTok Shop brand protection toolkit. Detect unauthorized sellers, counterfeit products, and affiliate abuse. Includes TikTok IP Protection reporting, influe...

0· 66·0 current·0 all-time
byHenk Nie@phheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill is advertised for 'TikTok Shop' but the included templates and code repeatedly reference Amazon concepts (ASINs, Brand Registry, brandregistry.amazon.com) and Amazon-specific workflows. There is no TikTok API integration, no TikTok endpoints, and no declared credentials for accessing TikTok Shop. This mismatch suggests either mislabeled scope or missing/incomplete implementation.
!
Instruction Scope
Runtime instructions are minimal (run python3 scripts) and do not explain how TikTok data is obtained or what inputs the scripts expect. The SKILL.md shows example JSON inputs but does not say where to provide them. Templates instruct operational activities (test buys, cease-and-desist) which are plausible, but the agent is given broad discretion without clear data-flow boundaries — e.g., no guidance on safe data sources or limits on automated reporting.
Install Mechanism
There is no install spec (instruction-only), which is lower risk from supply-chain downloads. However, the package includes two Python scripts bundled with the skill; running them will execute local code. No external downloads or suspicious install URLs were present in the provided files, but users should still review the scripts before execution.
Credentials
The skill does not request environment variables, credentials, or config paths. That is proportionate given its stated functionality. Note: the scripts generate complaint templates (including contact emails) but do not declare any need for secrets — any network or credential usage would be visible only in the code (which should be inspected).
Persistence & Privilege
The skill is not marked always:true and does not request persistent privileges. It is user-invocable and can be run manually; autonomous invocation is allowed by default but not by itself a red flag here.
What to consider before installing
Do not assume this is a ready-to-run TikTok integration. Before installing or executing: (1) Confirm with the publisher whether this is intended for TikTok — ask how TikTok Shop data is obtained and whether any scraping or API access is required. (2) Inspect the included Python files for any network requests or credential usage (HTTP requests, sockets, or hidden endpoints). (3) Run the scripts in an isolated environment (sandbox/VM) after review. (4) If you plan to use automated reporting or 'test buys', verify legal/compliance implications and avoid exposing your primary accounts/credentials. If the author provides a clear TikTok API implementation (endpoints, required env vars, and privacy policy) and/or updates templates to target TikTok rather than Amazon, the coherence and risk profile would improve.

Like a lobster shell, security has layers — review code before you run it.

latestvk9745dgc0s4hmyav4n8kh6cq75839h60

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments