Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Publora Tiktok
v2.0.0Post or schedule video content to TikTok using the Publora API. Use this skill when the user wants to publish or schedule TikTok videos via Publora.
⭐ 2· 951·6 current·6 all-time
bySergey Bulaev@sergebulaev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and the SKILL.md consistently describe publishing/scheduling TikTok videos via the Publora API. The documented endpoints, three-step upload flow, and platform limits are coherent with that purpose. However, the skill does not declare the Publora API key as a required credential even though examples use an 'x-publora-key' header, so the declared requirements do not fully match the runtime instructions.
Instruction Scope
SKILL.md instructs the agent to call Publora endpoints and to upload video bytes to a presigned S3 URL — all reasonable for publishing video. But it also repeatedly references a separate 'publora core skill' for auth and workspace/webhook docs (which is not declared as a dependency), and shows use of an 'x-publora-key' secret without the skill declaring that secret. These are scope/clarity issues: the runtime instructions expect credentials and a core-skill integration that the registry metadata does not declare.
Install Mechanism
Instruction-only; no install spec, no code written to disk, and no third-party packages or download URLs. This is the lowest-risk install mechanism.
Credentials
The SKILL.md requires an API key in the header ('x-publora-key: sk_YOUR_KEY'), but the registry metadata lists no required environment variables or primary credential. That mismatch is concerning because the skill will need secret credentials at runtime but does not declare them, so users may be unclear about what secrets to provide or how the agent will obtain them.
Persistence & Privilege
The skill is not always-enabled (always: false) and does not request system-wide configuration changes or persistent privileges. It does not modify other skills' settings per the provided metadata.
What to consider before installing
This skill appears to do what it claims (post/schedule TikTok videos via Publora), but there are important gaps you should clarify before installing:
- The SKILL.md uses an 'x-publora-key' API key header, yet the skill metadata does not declare any required credentials or a primaryEnv. Confirm how the agent will get the Publora API key (will you paste it in conversation, set an env var, or is there supposed to be a 'publora' core skill that centralizes auth?).
- The documentation refers to a separate 'publora core skill' for auth and webhooks but that dependency isn't listed. Ask the publisher where that core skill is and how auth is handled.
- There is no source or homepage provided. Prefer skills that publish source or a vendor homepage so you can verify the publisher and check for official documentation or SDKs.
- When you provide any API key, ensure it has the minimum scope needed and that you trust the skill/publisher. Observe network activity: this skill will send content and media to api.publora.com and to presigned S3 upload URLs (expected), but do not provide secrets to untrusted or unknown publishers.
If the publisher confirms the missing credential declaration and provides a link to the 'publora' core skill or official docs, that would remove the main concerns and increase confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk9744fq28h1gztjnpj41q0p22h82wk0m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.