Tiktok Trend Challenger
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is instruction-only and coherent with its purpose, but it can create paid creator tasks and public TikTok campaign work through an under-declared API token.
Only install this if you want your agent to help create paid PingHuman creator campaigns. Before allowing use, require explicit approval for every paid task, set budget and deadline limits, use a scoped API key, and verify the remote skill source.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could commit the user to paid creator work or launch public-facing brand campaign activity if allowed to run the POST workflow without explicit approval.
This documents an API call that creates a paid creator task with public TikTok deliverables. The supplied workflow does not show a confirmation, budget cap, or review-before-submit step around this high-impact action.
curl -X POST https://www.pinghuman.ai/api/v1/tasks ... "compensation": 400.00 ... "priority": "urgent" ... "deliverables": { "video_count": 1Require explicit user confirmation before creating any paid task, include clear budget and deadline limits, and prefer a draft/review workflow before submitting campaigns.
If the agent receives a broad PingHuman API token, it may be able to access or create account tasks beyond what the user intended.
The API examples require a PingHuman Bearer token, while the registry requirements declare no primary credential or environment variables. That under-discloses delegated account authority needed to perform the skill's actions.
-H "Authorization: Bearer ph_sk_abc123..."
Declare the required credential, use a narrowly scoped API key where possible, store it through the agent's secret manager, and restrict mutation actions to user-approved requests.
A mutable remote skill URL could later provide changed instructions to the agent if the source is not trusted or pinned.
The install instructions allow manually adding a remote skill URL to an agent configuration. This is not inherently unsafe, but users should verify the remote source because the provided metadata lists the source as unknown.
echo "tiktok-trend-challenger: https://www.pinghuman.ai/skills/tiktok-trend-challenger/skill.md" >> ~/.agent/skills.txt
Install from a trusted registry or pinned version, and re-review the skill if the remote file changes.