Boring TikTok Publisher
v1.0.1Publish videos and photo carousels to TikTok using Boring. Use when the user says 'post to TikTok', 'upload TikTok video', 'create TikTok post', 'publish Tik...
⭐ 0· 71·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the instructions: the SKILL.md shows how to list accounts, upload media, and call boring_publish_post to publish to TikTok. The declared requirement (an MCP Connector link containing an embedded auth token) is consistent with a third‑party service proxying TikTok API calls.
Instruction Scope
Runtime instructions only reference Boring connector calls (boring_list_accounts, boring_upload_file, boring_upload_from_url, boring_publish_post). They ask the agent to upload media (local files, external URLs, Google Drive) which is expected for a publishing tool. No instructions ask the agent to read unrelated system files or environment variables. Note: allowing upload of local file paths and Google Drive links gives the skill access to any media the user supplies.
Install Mechanism
Instruction-only skill with no install spec or code files, so nothing is written to disk or fetched during install. This is a low-risk delivery mechanism and consistent with the skill being a connector wrapper.
Credentials
No environment variables are requested, but the skill requires an MCP Connector link that embeds an auth token. That connector is effectively a high‑privilege credential (it grants Boring access to the user's connected TikTok account(s) and can upload/publish on the user's behalf). This is proportionate to the stated purpose, but is sensitive: the MCP link should be treated like a password and may allow broad account actions and media access.
Persistence & Privilege
always is false (no forced inclusion). Model invocation is enabled (default), which means the agent could call this skill autonomously if permitted — this is platform default behavior. The skill does not request persistent agent changes or system-wide config access.
Assessment
This skill appears to do what it says: it uses a Boring MCP connector to upload media and publish to TikTok. Before installing, confirm these items: (1) Understand that the MCP Connector URL contains an embedded auth token and grants Boring permission to act on your TikTok accounts — treat it like a password and only paste it into trusted places. (2) Media you upload will be stored on Boring's Google Cloud Storage and forwarded to TikTok, so do not upload content you consider highly sensitive unless you trust Boring's handling and retention policies. (3) Verify the Boring service/website and its privacy/security docs (who can access stored media, retention, and ability to revoke tokens). (4) Prefer using draft mode for initial tests to avoid accidental public posts. (5) If you are concerned about autonomous posting, restrict how the agent may call skills or require explicit user confirmation before publishing. (6) If you stop using the service, revoke the MCP token in your Boring settings immediately.Like a lobster shell, security has layers — review code before you run it.
latestvk97b8gs19ashxc18j79s426pzh83pknx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎵 Clawdis
ConfigMCP Connector link from boring.aiagent-me.com (contains embedded auth token)