Tiktok Trend Slayer
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent TikTok/EchoTik analytics helper, but it uses API credentials and writes reusable local reports, so users should verify credentials, output paths, and source before use.
Before installing, confirm you trust the source, provide only the API credentials needed for your task, run it with normal market codes and a dedicated output directory, and review generated reports before making business decisions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can use your EchoTik/TikTok Shop API access and consume quota or expose data permitted by those tokens.
The script uses environment-provided EchoTik and TikTok Shop credentials in Authorization headers to the stated services. This is purpose-aligned, but it grants third-party API/account access.
-H "Authorization: ${ECHOTIK_AUTH_HEADER}" ... -H "Authorization: Bearer ${TIKTOK_SHOP_API_KEY}"Use least-privileged tokens, export credentials only when needed, and revoke or rotate credentials if they are no longer required.
Users may not receive automatic install-time prompts about curl/jq, API credentials, or the claimed source location.
Registry metadata does not surface the source, dependency, or credential expectations that SKILL.md and the script disclose. This is not hidden in the skill text, but installer metadata may under-warn users.
Source: unknown; Homepage: none; Required env vars: none; Required binaries ... none
Verify the claimed source before trusting updates, and manually confirm curl, jq, ECHOTIK_AUTH_HEADER, and any TikTok Shop token before running.
A mistaken or maliciously chosen output path/region string could create generated report files outside the intended report folder.
The caller can choose the output directory, and the region value is embedded in generated filenames. Report writing is expected, but unexpected path or region values could put files in unintended locations.
--output-dir) OUTPUT_DIR="$2"; shift 2 ;; ... local out_file="$OUTPUT_DIR/${cat}_${region}_$(date +%Y%m%d)_influencers.${FORMAT}"Use documented region codes such as US, SG, or TH and a dedicated output directory; maintainers should validate or sanitize region and path inputs.
If external API data contains misleading names, titles, or prompt-like text, it could influence generated reports if over-trusted.
The workflows intentionally reuse persisted API output files as later analysis context. External product or creator fields should be treated as data, not as instructions.
3. **Read all output files** from `output/` directory.
Review generated reports before acting on them, and ensure the agent treats API response fields as untrusted data rather than instructions.