ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tiktok Publisher

v1.0.1

Publish videos and photo carousels to TikTok. Use when the user says 'post to TikTok', 'upload TikTok video', 'create TikTok post', 'publish TikTok carousel'...

0· 56·1 current·1 all-time
by@snoopyrain
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (publish to TikTok) align with the instructions: all operations call the Boring MCP connector (list accounts, upload media, publish). Requiring a connector link that carries an auth token is plausible for a third‑party social‑media publishing integration, but the skill delegates all access to an external service rather than using TikTok credentials directly.
Instruction Scope
SKILL.md confines runtime actions to the Boring MCP API (boring_list_accounts, boring_upload_file, boring_publish_post). It does instruct uploading local files (file_path) which implies reading local media to send to the third‑party service — this is expected for a publisher but you should be aware your media will be transmitted off‑device to Boring's servers.
Install Mechanism
Instruction‑only skill with no install spec or bundled code files; nothing is downloaded or written to disk by the skill itself, which reduces installer risk.
!
Credentials
No local env vars are required, but the single required credential is an MCP Connector link containing an embedded auth token. According to SKILL.md that token grants publish/manage/schedule access across connected social accounts — this is high privilege and potentially broader than TikTok alone. The token is stored/handled by the third‑party service rather than locally, so you must trust that service. The skill does not declare more granular scoping or limit access to only TikTok.
Persistence & Privilege
always is false and the skill does not claim to modify other skills or system configuration. Autonomous invocation is allowed (platform default) which is expected for skills; no elevated persistence requested.
What to consider before installing
This skill delegates publishing to a third‑party service reachable via an MCP connector link that embeds a token with publish/manage privileges. Before installing or using: (1) verify you trust the Boring service and its domain (confirm ownership, privacy policy, and source code if you need assurance); (2) understand that providing the MCP link lets that service create posts and upload media on connected accounts — consider creating/restricting a dedicated account or limiting connected platforms; (3) avoid pasting the connector link in public or untrusted places and be ready to revoke/regenerate the token if needed; (4) ask the skill author for provenance (who runs boring.aiagent-me.com) or for a way to restrict the token to only TikTok if you want narrower scope.

Like a lobster shell, security has layers — review code before you run it.

latestvk970hxwfm28fs9c61gzzxzah6n83p935

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
ConfigMCP Connector link from boring.aiagent-me.com (contains embedded auth token)

Comments