Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
tiktok-research-kit
v1.0.0Extract and analyze TikTok content using yt-dlp. Supports video metadata, caption extraction, sound/music info, user profile analysis, and engagement stats....
⭐ 0· 58·0 current·0 all-time
by江辰@xuya227939
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is an instruction-only toolkit that uses yt-dlp to extract TikTok metadata, captions, sounds, profiles, and comments — this aligns with the name/description. However, the skill metadata lists no required binaries while SKILL.md explicitly requires yt-dlp >= 2024.01.01 (brew / pip). That omission is an inconsistency but plausibly an oversight rather than malicious.
Instruction Scope
SKILL.md tells the agent to run local yt-dlp commands and parse JSON output — within scope. However it also mentions using --cookies-from-browser chrome, which implies reading browser cookies (sensitive local data) to access region- or login-restricted content; the skill does not declare or request access to cookie paths or explain privacy/consent implications. The guide also suggests an external site (snapvee.com) for downloads; directing users to third-party download services is out-of-band and may have privacy or security implications.
Install Mechanism
No install spec is provided (instruction-only), so nothing is written to disk by the skill itself. The SKILL.md recommends installing yt-dlp via brew or pip — both are standard and expected for the stated purpose.
Credentials
The skill does not request environment variables, credentials, or config paths. This is proportionate to an instruction-only yt-dlp-based extractor. Note: the optional cookie usage could access browser-stored secrets if the user enables it — that risk arises from the tool (yt-dlp) behavior, not from listed requirements.
Persistence & Privilege
The skill is not set to always:true and is user-invocable; it does not request persistent privileges or modify other skills. Autonomous invocation is allowed by default but not combined with other red flags.
Scan Findings in Context
[no-code-to-scan] expected: The scanner found no code files (instruction-only). This is expected for an SKILL.md-only skill; there are therefore no regex-based code findings to contextualize.
What to consider before installing
This skill appears to be what it says — a recipe for using your local yt-dlp to pull TikTok metadata — but check these before installing or running it:
- Install yt-dlp yourself (brew or pip) rather than expecting the skill to provide it; the SKILL.md requires yt-dlp but the skill metadata did not declare the binary requirement. Verify yt-dlp --version.
- Do not enable cookie extraction unless you understand the privacy risk: --cookies-from-browser chrome will allow yt-dlp to read browser cookies (session/auth tokens). Only use that when you trust the environment and have the owner's consent.
- The skill suggests snapvee.com for downloads. Treat third-party download services cautiously (privacy, malware, TOS). The skill explicitly says it focuses on extraction/analysis, not downloading.
- Review local legal/terms-of-service constraints before extracting or storing TikTok content (and avoid distributing content you don't have rights to).
- If you need stronger assurance, ask the author for a source repo or signed release (the metadata lists a support_url and homepage in clawhub.json that differ from registry fields). Confirm provenance before granting any broader access.
Overall: functionally coherent with a few minor but important operational and privacy notes — proceed if you trust your local environment and avoid using cookie extraction unless necessary.Like a lobster shell, security has layers — review code before you run it.
latestvk972z0jtfrhxrjqqmjhgnk767d83gxvv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.