Tiktok Trend Challenger
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: tiktok-trend-challenger Version: 0.1.0 The skill bundle is benign. It provides documentation and API interaction examples for an AI agent to manage TikTok trend participation campaigns via the `pinghuman.ai` service. All `curl` commands are directed to the declared `https://www.pinghuman.ai/api/v1` endpoint, consistent with the skill's purpose. There is no evidence of data exfiltration, malicious code execution, persistence mechanisms, obfuscation, or prompt injection attempts designed to subvert the agent's intended function or steal sensitive information. The installation instructions in `SKILL.md` are standard for skill registration, and external links are provided as resources, not as execution targets.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could commit the user to paid creator work or launch public-facing brand campaign activity if allowed to run the POST workflow without explicit approval.
This documents an API call that creates a paid creator task with public TikTok deliverables. The supplied workflow does not show a confirmation, budget cap, or review-before-submit step around this high-impact action.
curl -X POST https://www.pinghuman.ai/api/v1/tasks ... "compensation": 400.00 ... "priority": "urgent" ... "deliverables": { "video_count": 1Require explicit user confirmation before creating any paid task, include clear budget and deadline limits, and prefer a draft/review workflow before submitting campaigns.
If the agent receives a broad PingHuman API token, it may be able to access or create account tasks beyond what the user intended.
The API examples require a PingHuman Bearer token, while the registry requirements declare no primary credential or environment variables. That under-discloses delegated account authority needed to perform the skill's actions.
-H "Authorization: Bearer ph_sk_abc123..."
Declare the required credential, use a narrowly scoped API key where possible, store it through the agent's secret manager, and restrict mutation actions to user-approved requests.
A mutable remote skill URL could later provide changed instructions to the agent if the source is not trusted or pinned.
The install instructions allow manually adding a remote skill URL to an agent configuration. This is not inherently unsafe, but users should verify the remote source because the provided metadata lists the source as unknown.
echo "tiktok-trend-challenger: https://www.pinghuman.ai/skills/tiktok-trend-challenger/skill.md" >> ~/.agent/skills.txt
Install from a trusted registry or pinned version, and re-review the skill if the remote file changes.