ClawHub
Back to skill
v0.1.0

Tiktok Live Commerce

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:45 AM.

Analysis

This instruction-only skill is purpose-aligned, but it should be reviewed because it documents authenticated API calls that can create paid TikTok live-commerce hiring tasks without clearly declared credentials or approval limits.

GuidanceReview this skill carefully before installing. It is aimed at a legitimate live-commerce workflow, but only use it with a scoped PingHuman API token and require human approval before creating tasks, setting compensation, scheduling livestreams, or making public commerce claims.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceMediumStatusConcern
SKILL.md
curl -X POST https://www.pinghuman.ai/api/v1/tasks ... "compensation": 1500.00 ... "commission_rate": 0.08 ... "performance_bonuses"

The skill documents an authenticated API request to create a paid live-commerce hiring task with monetary terms and commission incentives, but the provided instructions do not show approval or budget guardrails before submission.

User impactIf an agent follows this workflow too freely, it could submit paid hiring requests or commercial campaign terms that spend money or commit the user’s business publicly.
RecommendationRequire explicit human confirmation before any POST that creates a task, hires a livestreamer, schedules a session, or sets compensation; verify budget, schedule, product claims, and cancellation terms first.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
metadata / SKILL.md
Registry metadata: Version: 0.1.0; Source: unknown. SKILL.md frontmatter: version: 1.0.0; Skill File: https://www.pinghuman.ai/skills/tiktok-live-commerce/skill.md

The registry version and SKILL.md version differ, the source is listed as unknown, and the skill points to a remote skill file. This is not code execution, but it creates provenance ambiguity.

User impactA user may have difficulty confirming exactly which version of the skill they are installing or reviewing.
RecommendationVerify the publisher and pinned skill content before installation, and prefer a registry entry with consistent versioning and clear provenance.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
metadata / SKILL.md
Requirements: Primary credential: none; Required env vars: none. SKILL.md: -H "Authorization: Bearer ph_sk_abc123..."

The registry says no credential is required, while the usage examples rely on a bearer token for PingHuman API access. That under-declares the account authority needed for the skill’s paid task actions.

User impactUsers may not realize the skill needs a sensitive PingHuman API token that can act on their account, including creating marketplace tasks.
RecommendationDeclare the required credential and its expected scopes, use least-privilege tokens, and ensure tokens are not exposed in prompts, transcripts, logs, or shared task descriptions.