ClawHub

Tiktok Viral Marketing

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is coherent with TikTok marketing, but it needs Review because it can create paid creator campaigns and encourages coordinated posts that may misrepresent organic popularity.

Install only if you intend an agent to help manage paid influencer campaigns through PingHuman. Use a scoped, revocable API key, keep it out of logs and prompts, and require manual approval for every campaign creation, creator acceptance, payment approval, tip, deadline, and coordinated posting plan. Do not use the workflow to hide sponsorship or make paid coordination appear organic.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly advises coordinated posting to create the appearance of organic popularity, which is a form of deceptive social proof manipulation. In a marketing skill, this is dangerous because it can induce an agent to execute platform-abusive or undisclosed influence tactics that may violate TikTok rules, advertising standards, or user trust.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill shows bearer-token authenticated API calls for creator search, task creation, acceptance, approval, rating, and tipping without warning that these are state-changing operations involving spending and hiring. This increases the risk that an agent will reuse real credentials unsafely, expose secrets in logs, or trigger financial and contractual actions without explicit confirmation.

Ssd 4

Medium
Confidence
96% confidence
Finding
The workflow recommends seeding multiple synchronized creator posts specifically to manufacture perceived organic momentum. That is risky because it operationalizes deceptive influence tactics and could lead agents to automate behavior that manipulates platform ranking signals or misleads users about authentic popularity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal