Skillv0.1.0

ClawScan security

TikTok Uploader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 8, 2026, 3:33 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requirements are consistent with its stated purpose (browser-automation TikTok uploads); it requires user-supplied session cookies which is expected but sensitive—exercise caution when providing them.
Guidance: This skill appears to do what it says, but it requires you to provide TikTok session cookies (cookies.txt or sessionid). Those are sensitive: only export/provide cookies from accounts you trust (preferably a throwaway or account dedicated to automated uploads). Before installing: (1) verify the tiktok-uploader package source (review the GitHub/PyPI project and its recent changes), (2) install in a virtual environment, (3) avoid pasting sessionid or cookie contents into public places, and (4) consider using a dedicated account or limited-permission setup in case credentials are mishandled. The skill will read any cookie file or directory paths you give it and uses browser automation (Playwright), which is expected for this functionality.

Review Dimensions

Purpose & Capability: okName and description (upload/schedule/batch TikTok videos via browser automation) match the provided SKILL.md and the included helper script. Requiring python3 and Playwright is appropriate for a Playwright-based uploader. The script is a thin wrapper around the tiktok-uploader library and only exposes operations that map to the described functionality.
Instruction Scope: noteInstructions ask the user to provide cookies (cookies.txt, sessionid, or cookie list) and to point to local video directories; the included wrapper reads the cookie file path and enumerates video files when asked. This is within scope for an uploader, but it does mean the skill will read any cookie file or directories you give it — those artifacts are sensitive and should only be provided from trusted accounts.
Install Mechanism: noteNo registry install spec in the manifest, but SKILL.md recommends 'pip install tiktok-uploader' and 'playwright install'. Installing from PyPI and running Playwright is expected for this functionality; it is a common but moderate-risk install vector (third‑party PyPI packages should be vetted). No downloads from unknown URLs or archive extraction were found in the skill files.
Credentials: okThe skill does not request arbitrary environment variables or unrelated credentials. It requires the user to supply session cookies (or sessionid), which are necessary for authenticating the browser session to TikTok; the number and type of credentials requested are proportional to the task.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide changes or access to other skills' credentials. It does not attempt to modify other skill configurations or claim elevated platform privileges.