Tiktok - powered by Teneo Protocol

The skill's description (a TikTok data-extraction agent that charges in USDC via the Teneo network) is plausible, but the runtime instructions omit and gloss over sensitive details (wallet signing, private key handling, and an external websocket backend), leaving gaps that could enable credential exposure or unexpected data flow.

Before installing or using this skill: 1) Ask the publisher to explain exactly how wallet signing is performed (e.g., local signer, hardware wallet, external provider) and to update the manifest to declare any required env vars. 2) Inspect the referenced SDK source (GitHub and npm package) yourself or in a sandbox to confirm keys are not exfiltrated; prefer a hardware wallet or an external signing provider rather than putting a private key in an environment variable. 3) Verify the websocket backend domain and review its privacy/security documentation — understand what user data or queries will be sent to that service. 4) Be prepared for on-chain costs (USDC) and test with a throwaway wallet and small funds first. 5) If you cannot confirm the signing flow and backend behavior, avoid supplying real wallet credentials or high-value funds.