ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

tiktok-live-cart-automation

v1.0.0

Automation for TikTok Live shopping, including monitoring pinned products, adding to cart, and preparing for checkout. Use for: automatically adding products...

0· 15·0 current·0 all-time
byCakekritsanan@kritsanan1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name and description claim real-time TikTok Live monitoring, adding to cart, and checkout preparation. The SKILL.md also lists Selenium, TikTokLive library, and ChromeDriver as dependencies. However, the shipped Python code only simulates detection (randomized choices) and writes/reads local JSON files; it does not use Selenium, TikTokLive, web requests, or browser automation. This is a meaningful mismatch: the skill promises integration with TikTok but the implementation is a placeholder simulation.
!
Instruction Scope
Runtime instructions tell users to run the main script with a TikTok username and to be logged into TikTok in a browser. But the actual code ignores network/browser APIs and only simulates detection locally. The SKILL.md refers to a USAGE_GUIDE.md for details which is not present in the manifest. The scripts read/write local files (pinned_product.json, cart_data.json) and use subprocess.run to invoke local scripts — no external endpoints or credential access are present in the code. The main issue is misleading scope (documentation asks for browser login and external libs, but code does not perform those actions).
Install Mechanism
There is no install spec (instruction-only install). That lowers platform-level risk because nothing is automatically downloaded. SKILL.md does instruct users to install third-party packages (selenium, TikTokLive) and to download ChromeDriver from an external site; those are manual steps the user might take. While not executed by the skill automatically, following those manual install instructions could lead users to download binaries from third-party sites — the skill itself does not perform such downloads.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The code doesn't access environment secrets. The documentation's instruction to be logged into TikTok is operational (browser state) rather than requesting credentials from the environment, but it's inconsistent with the simulation implementation.
Persistence & Privilege
The skill does not request persistent privileges (always is false) and would not be force-included. It does not modify other skills or system settings. Scripts run are local and invoked by the user; autonomous invocation is enabled by default but is not combined with other concerning privileges in this package.
What to consider before installing
This package looks like a placeholder/simulation rather than a finished integration with TikTok Live. Before installing or trusting it: - Treat it as code for local testing only — it does not actually connect to TikTok or control a browser. - Do not assume the SKILL.md's Selenium/TikTokLive/ChromeDriver instructions are executed automatically; if you choose to follow them, download binaries only from official project pages and verify versions. - If you need real automation, request a clear implementation that actually uses secure APIs (and documents what credentials or browser access are required). - Review the code yourself or run it in an isolated environment if you want to test; the current code only writes/reads local JSON files and calls local Python scripts. - If you expected real TikTok integration, contact the publisher for clarification or wait for a completed implementation. The mismatch between documentation and code is the main risk here.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a116v3zxnf67n8yb7zm2rsn851nkc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments