Skillv2.0.0

ClawScan security

Publora Tiktok · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 11:44 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its claimed purpose (posting/scheduling TikTok videos via Publora), but it references a Publora API key and a separate "publora" core skill without declaring required credentials or dependencies, which is an inconsistency users should understand before installing.
Guidance: This skill appears to do what it claims (post/schedule TikTok videos via Publora), but there are important gaps you should clarify before installing: - The SKILL.md uses an 'x-publora-key' API key header, yet the skill metadata does not declare any required credentials or a primaryEnv. Confirm how the agent will get the Publora API key (will you paste it in conversation, set an env var, or is there supposed to be a 'publora' core skill that centralizes auth?). - The documentation refers to a separate 'publora core skill' for auth and webhooks but that dependency isn't listed. Ask the publisher where that core skill is and how auth is handled. - There is no source or homepage provided. Prefer skills that publish source or a vendor homepage so you can verify the publisher and check for official documentation or SDKs. - When you provide any API key, ensure it has the minimum scope needed and that you trust the skill/publisher. Observe network activity: this skill will send content and media to api.publora.com and to presigned S3 upload URLs (expected), but do not provide secrets to untrusted or unknown publishers. If the publisher confirms the missing credential declaration and provides a link to the 'publora' core skill or official docs, that would remove the main concerns and increase confidence.

Review Dimensions

Purpose & Capability: noteThe name/description and the SKILL.md consistently describe publishing/scheduling TikTok videos via the Publora API. The documented endpoints, three-step upload flow, and platform limits are coherent with that purpose. However, the skill does not declare the Publora API key as a required credential even though examples use an 'x-publora-key' header, so the declared requirements do not fully match the runtime instructions.
Instruction Scope: concernSKILL.md instructs the agent to call Publora endpoints and to upload video bytes to a presigned S3 URL — all reasonable for publishing video. But it also repeatedly references a separate 'publora core skill' for auth and workspace/webhook docs (which is not declared as a dependency), and shows use of an 'x-publora-key' secret without the skill declaring that secret. These are scope/clarity issues: the runtime instructions expect credentials and a core-skill integration that the registry metadata does not declare.
Install Mechanism: okInstruction-only; no install spec, no code written to disk, and no third-party packages or download URLs. This is the lowest-risk install mechanism.
Credentials: concernThe SKILL.md requires an API key in the header ('x-publora-key: sk_YOUR_KEY'), but the registry metadata lists no required environment variables or primary credential. That mismatch is concerning because the skill will need secret credentials at runtime but does not declare them, so users may be unclear about what secrets to provide or how the agent will obtain them.
Persistence & Privilege: okThe skill is not always-enabled (always: false) and does not request system-wide configuration changes or persistent privileges. It does not modify other skills' settings per the provided metadata.