by 安全扫描
OpenClaw
可疑
high confidenceThe skill appears to implement a legitimate TikTok bulk-publishing tool, but its package/registry metadata does not declare the credentials the code and SKILL.md require, which is an incoherence users should understand before installing.
评估建议
This skill's code and SKILL.md legitimately require TikTok credentials (client key, client secret, access token), but the registry metadata does not declare them — that's a transparency/information mismatch. Before installing: (1) verify the skill source (follow the repository URL in package.json or contact the author); (2) review the included tiktok_publisher.py yourself or have someone you trust inspect it; (3) only provide short-lived or scopped test tokens (and avoid reusing production crede...详细分析 ▾
ℹ 用途与能力
The name, README, SKILL.md, and code all align with a TikTok bulk-publisher (upload, chunked upload, finalize, status). However the registry metadata claims no required environment variables or primary credential while SKILL.md and the code expect TikTok credentials (client key, secret, access token). That mismatch is unexpected and reduces transparency.
✓ 指令范围
SKILL.md instructions stay within the stated purpose: they describe exporting TIKTOK_CLIENT_KEY / TIKTOK_CLIENT_SECRET / TIKTOK_ACCESS_TOKEN and running the Python script or using its Python API. The instructions don't ask the agent to read unrelated system files or exfiltrate arbitrary data.
ℹ 安装机制
There is no install spec (instruction-only), which is low risk. A code file (tiktok_publisher.py) and package.json are included; package.json references a GitHub repo and installation via 'npx clawhub install' but no automated installer is declared. This is not itself malicious but inconsistent and worth verifying.
⚠ 凭证需求
The code and SKILL.md require TikTok credentials (client key/secret and access token) — these are appropriate for the stated purpose. The concern is that the registry metadata omitted declaring any required env vars/primary credential, meaning users may not be warned by the registry about needing to supply sensitive tokens. Verify scope and origin before providing credentials.
✓ 持久化与权限
The skill does not request 'always: true' or other persistent privileges, and does not attempt to modify other skills or system-wide settings. Agent autonomous invocation is allowed by default (normal).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/20
TikTok 批量发布技能 v1.0.0 - 首次发布,支持批量自动上传和发布 TikTok 视频内容 - 支持自定义视频标题、描述、隐私级别以及评论/合拍/拼接功能控制 - 支持分片上传大文件、查看发布状态 - 提供 OAuth 2.0 授权流程 - 可通过命令行和 Python API 使用 - 列明依赖、环境变量配置和常见错误代码
● 无害
安装命令
点击复制官方npx clawhub@latest install tiktok-bulk-publisher-test
镜像加速npx clawhub@latest install tiktok-bulk-publisher-test --registry https://cn.longxiaskill.com镜像同步中