ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TikTok Crawling (yt-dlp)

v1.0.0

Use for TikTok crawling, content retrieval, and analysis

13· 3.9k·18 current·18 all-time
by@romneyda
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim TikTok crawling via yt-dlp and the SKILL.md contains only yt-dlp usage patterns, filters, metadata exports, and scheduling examples — everything requested is coherent with a scraping/downloading tool guide. No unrelated credentials, binaries, or installs are demanded by the skill itself.
Instruction Scope
Instructions are focused on scraping and metadata extraction, but they explicitly recommend using --cookies-from-browser (or exporting cookies to a file), cron scheduling, and VPN/geo-bypass techniques. Those steps expand operational scope (accessing browser cookie stores, running scheduled background jobs, altering network identity) and carry privacy, legal, and operational implications even though they are relevant to accessing private/restricted content.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code. The doc suggests standard, well-known install methods (brew, pip) for yt-dlp/ffmpeg but does not perform downloads itself — low install risk.
Credentials
The skill requests no environment variables or credentials, which matches its instruction-only nature. However, the runtime instructions advise accessing browser cookie stores and storing cookies files (sensitive local data) without declaring this as a required config; accessing browser cookies is sensitive and should be treated as such if you follow these instructions.
Persistence & Privilege
Skill flags are default (not always:true). The guide shows how to set up cron jobs or scripts for ongoing scraping, but the skill itself does not request persistent privileges or modify other skills/config — persistence is an operational choice the user would make when deploying the commands.
Assessment
This guide appears internally consistent for a yt-dlp–based TikTok scraper, but pay attention to privacy, legal, and operational risks before using it. Don't hand over browser cookies or cookie files unless you trust the environment (cookies can grant account access). Run scraping in an isolated account, container, or VM to limit exposure, and avoid running scheduled jobs as root. Respect TikTok's terms of service and copyright laws; rate-limit your requests and monitor storage (downloads can be large). If you need to access private/restricted content, prefer using dedicated, minimal credentials or ephemeral cookies and delete them when done. If you’re unsure about legality or data sensitivity, consult legal/privacy resources before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk975bckrr1hr55dc1edkfr34gx80wmst

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments