Tiktok Live Commerce
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned, but the visible instructions let an agent create paid PingHuman/TikTok livestream hiring tasks using account bearer-token access without visible approval or budget guardrails.
Use this skill only if you are comfortable letting an agent prepare PingHuman/TikTok live-commerce hiring tasks. Before enabling it, require the agent to show the full task payload, budget, commission terms, schedule, and recipient details for explicit approval before any API submission, and use a limited-scope API token if available.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could create a paid livestream hiring task or financial commitment on the user's PingHuman account if invoked without sufficient review.
The visible instructions create a paid task with commissions and bonuses through an API call. In the provided excerpt, this high-impact action is presented as a direct posting workflow rather than a bounded draft/confirm workflow.
curl -X POST https://www.pinghuman.ai/api/v1/tasks ... "compensation": 1500.00 ... "commission_rate": 0.08 ... "performance_bonuses": { "50k_gmv": 800.00, "100k_gmv": 2000.00, "200k_gmv": 5000.00 }Require explicit user confirmation before any POST that creates a task, include budget limits, show the full task payload for review, and document how to cancel or reverse submitted work.
Users may not realize the agent needs delegated access to their PingHuman account and that the token could authorize paid marketplace actions.
The skill expects a PingHuman bearer token to access the API. That credential can be used for account actions such as posting paid tasks, while the provided registry metadata declares no primary credential.
-H "Authorization: Bearer ph_sk_abc123..."
Declare the required credential in metadata, use least-privileged tokens if available, and instruct users to store credentials securely and approve spending-related actions.
Campaign details, product information, schedules, and commercial terms may leave the user's local agent environment and be shared with the provider or hired hosts.
The workflow sends campaign and product-session details to the external PingHuman API and, by purpose, to human livestream hosts. This is expected for the service but is still an external data flow.
curl -X POST https://www.pinghuman.ai/api/v1/tasks ... "description": "Host a 2-hour TikTok Live session showcasing our beauty product line..."
Review task descriptions before submission and avoid including confidential product, pricing, customer, or unreleased campaign information unless it is intended to be shared.