ClawHub
Back to skill
v0.1.0

Tiktok Product Promotion

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:45 AM.

Analysis

This instruction-only skill is coherent with its TikTok promotion purpose, but it can guide an agent to use an account bearer token to create paid influencer campaign tasks without clearly documented approval, budget, or credential-scope safeguards.

GuidanceReview this skill before installing if you plan to let an agent act autonomously. It is not showing code-level malware, but it can guide account-authenticated API calls that create paid TikTok promotion tasks. Use least-privilege credentials, require human approval for every campaign submission, set budget limits, and avoid sharing confidential product or marketing information unless intended.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
curl -X POST https://www.pinghuman.ai/api/v1/tasks ... "compensation": 800.00 ... "commission_structure": { "base_payment": 800.00, "affiliate_commission": "10% of sales"

The skill documents a direct API call that creates a paid promotional task with compensation and commission terms. That is purpose-aligned, but it is a high-impact business action and the artifact does not show confirmation, budget caps, or reversibility guidance.

User impactAn agent following the workflow could create paid influencer campaign requests that affect spending, public marketing, and brand reputation.
RecommendationRequire explicit user approval before posting any campaign, set clear budget limits, review product claims and deliverables, and prefer a draft/review workflow before submitting paid tasks.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
skill-install tiktok-product-promotion ... echo "tiktok-product-promotion: https://www.pinghuman.ai/skills/tiktok-product-promotion/skill.md" >> ~/.agent/skills.txt

The install instructions point to a remote skill definition and manual agent configuration. No executable code is present, but the source is listed as unknown and no pin or integrity check is shown.

User impactA user may depend on a remotely hosted skill file whose provenance or future contents are not verified by the provided artifacts.
RecommendationInstall only from a trusted registry or verified URL, check the skill contents before enabling it, and prefer pinned versions or integrity verification where available.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
SKILL.md
-H "Authorization: Bearer ph_sk_abc123..."

The examples require a bearer token that authorizes PingHuman API access. The supplied registry metadata declares no primary credential or required environment variable, so the account authority and token scope are under-disclosed.

User impactA real token could let the agent act on the user's PingHuman account, including creating or managing campaign tasks, depending on the token permissions.
RecommendationDeclare the credential requirement clearly, use a least-privilege token, keep tokens out of prompts and logs, and require confirmation before any account-mutating action.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
"description": "Create a 30-60 second TikTok video reviewing our wireless earbuds... Provide affiliate link in bio and use promo code CREATOR20"

The task payload sends product, promotion, affiliate, and tracking details to the external PingHuman service and ultimately to human creators. This data sharing is expected for the skill, but users should understand the boundary.

User impactCampaign details, product plans, promo codes, and performance-tracking information may be shared outside the user's agent environment.
RecommendationAvoid including confidential launch plans or sensitive business data unless intended, and review what will be sent to PingHuman and creators before submitting.