Tiktok Analytics
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for read-only TikTok analytics, but it requires trusting a third-party MCP connector URL that functions like a password.
This appears purpose-aligned and instruction-only. Before installing, make sure you trust Boring with read-only TikTok analytics access, keep the MCP URL private, and know how to revoke or regenerate the connector if needed.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who gets the MCP link may be able to access TikTok analytics and account metadata available through that connector.
The skill requires a password-like connector URL that grants access to the user's TikTok analytics through Boring. This is disclosed and described as read-only, but it is still sensitive account access.
**MCP link is a credential**: Your MCP Server URL ... contains an embedded authentication token. Treat it like a password
Only add the connector if you trust the Boring service, keep the URL private, and revoke or regenerate it if it may have been exposed.
Boring may handle your analytics requests, account metadata, and performance metrics while providing the connector service.
The skill depends on an external MCP/service flow where TikTok analytics requests and results pass through Boring. The flow is disclosed and purpose-aligned.
**Data flow**: Analytics queries are sent from Boring's server (Google Cloud, us-central1) to the platform's API on your behalf.
Review Boring's privacy/security posture and disconnect the TikTok OAuth app or revoke the MCP link when you no longer need the integration.