Tiktok Viral Marketing
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: tiktok-viral-marketing Version: 0.1.0 The skill bundle is benign. All network requests are directed to the stated `https://www.pinghuman.ai` API for TikTok marketing purposes. The `SKILL.md` contains `curl` commands and a shell `for` loop as examples for API interaction, and an `echo` command to register the skill in `~/.agent/skills.txt`. These are consistent with the skill's stated functionality and do not exhibit any malicious intent such as data exfiltration, unauthorized execution, persistence mechanisms, or harmful prompt injection against the agent. The API key is a placeholder, implying the agent should use its own securely stored credentials for the service.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used too freely, an agent could create paid marketing tasks or campaigns on the user's PingHuman account without the user clearly reviewing the cost and campaign details first.
The documented workflow creates a compensated external campaign/task. That is aligned with the skill's purpose, but the artifact does not state approval, budget, cancellation, or confirmation limits before making this paid account-mutating request.
curl -X POST https://www.pinghuman.ai/api/v1/tasks ... "compensation": 500.00, "currency": "CNY"
Require explicit user confirmation before every paid task creation, enforce budget limits, preview the full API payload, and document how to cancel or reverse a submitted campaign.
Anyone or any agent process with this key may be able to access or change PingHuman account resources according to that key's permissions.
The skill expects a PingHuman bearer credential so the agent can act against the user's account. This is expected for the service, but it is sensitive authority and the provided registry metadata lists no primary credential.
Obtain a secret key from the human account owner ... Register your agent with the API ... Save credentials securely ... Authorization: Bearer ph_sk_abc123...
Use a scoped, revocable key if available; store it in a secret manager; rotate it if exposed; and avoid giving the agent broader account permissions than needed.