TikTok Hotspot Monitor
ReviewAudited by ClawScan on May 11, 2026.
Overview
The skill mostly matches TikTok trend monitoring, but it includes an out-of-scope video-download capability despite saying it only handles metadata.
Review this skill before installing. It is largely aligned with TikTok trend monitoring, but verify whether you want any video-download capability present at all, protect Apify/TikTok credentials, run it in an isolated Python environment, and monitor scheduled runs or Apify billing.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user expecting metadata-only monitoring could unintentionally enable downloading TikTok media, which may consume bandwidth/storage and raise privacy, copyright, or policy issues.
The skill's scope says it is not responsible for downloading video/audio files, but the analyzer exposes a video-download option, and the manifest also lists scripts/download_tiktok_videos.py.
parser.add_argument("--download", action="store_true", help="Download videos after analysis.")Remove or clearly document the download workflow, keep it disabled by default, and require explicit user confirmation before any media download.
Installing or using the skill may require account credentials or a saved TikTok session that could incur Apify costs or grant access to a TikTok account session.
The skill uses an Apify API token for primary crawling and a saved TikTok login session for Playwright backup mode; these are expected for the integration but are sensitive account/session materials.
echo "APIFY_TOKEN=your_token_here" > .env ... python scripts/tiktok_login_save_session.py
Use a dedicated Apify token with limited permissions/budget, protect the .env and saved session files, and avoid using a personal TikTok account if not necessary.
Future dependency versions could change behavior or introduce vulnerabilities when the user installs the skill.
The Python dependencies are specified with lower-bound version ranges rather than pinned versions or a lockfile.
apify-client>=1.0.0 playwright>=1.40.0
Install in an isolated environment and consider pinning reviewed dependency versions before production use.
If the configuration is changed to point at another command, the skill could run different local code.
Backup local crawling is implemented by running a configured Python command; this is purpose-aligned for Playwright/MCP mode but is still local code execution controlled by configuration.
"tiktok_mcp": { "command": "python", "args": [ "scripts/tiktok_search_mcp_adapter.py" ], "timeout_seconds": 120 }Review the tiktok_mcp command and args before enabling local Playwright mode, and do not allow untrusted edits to the config file.
A scheduled run could keep using network access and Apify quota until stopped.
The crawler can run continuously when explicitly scheduled; the provided config defaults scheduling to disabled, so this appears user-directed rather than hidden persistence.
| `--schedule` | Flag | - | Run continuously |
Only enable --schedule intentionally, set conservative intervals/limits, and monitor Apify usage.