← Back to Skills Marketplace

Tiktok Shop Publish

Name: Tiktok Shop Publish
Author: lvjunjie-byte

by lvjunjie-byte · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

504

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install tiktok-shop-publish

Description

Automate TikTok Shop operations with batch product management, order processing, sales analytics, and marketing campaign automation.

Usage Guidance

This package mostly does what it says (TikTok Shop automation) but review before running: - Manifest mismatch: the registry metadata lists no required credentials, yet SKILL.md and the code require TikTok API keys/secrets, shop ID, and Feishu credentials or webhook. Treat that as a transparency issue—confirm the required secrets with the publisher before installing. - Sensitive data: the tool stores API keys, webhook URLs and session cookies in ~/.clawhub/tiktok-shop/config.json and credentials.json (the code sets 0o600 on credentials.json on non-Windows). Only install/run if you trust the source and are comfortable storing these secrets on the machine. - Code quality issue: commands/account.js exports a getCurrentAccount function that calls getCurrentAccount() and will recurse — this looks like a bug that can crash runtime calls that depend on it. Consider obtaining a fixed version or running tests in a sandbox before using in production. - Mock vs real API: the real TikTok API methods are unimplemented and the default is Mock mode. Real-mode requires you to populate real credentials and switch modes; verify the real API code before enabling it. - Verify provenance: source/homepage are listed as unknown/none in the registry snapshot you provided; the package contains a clawhub.json claiming ClawHub and a GitHub URL—confirm the upstream repository and publisher identity (and check commit history) before trusting and supplying secrets. - Safe testing: run the CLI in a controlled environment (isolated VM/container) first, inspect files it creates, and avoid entering production credentials until you confirm behavior. If you must use it, prefer creating dedicated API keys/accounts with limited permissions and rotate credentials after testing.

Capability Analysis

Type: OpenClaw Skill Name: tiktok-shop-publish Version: 1.0.0 The TikTok Shop Automation skill bundle is a well-structured CLI tool designed for e-commerce management, including product synchronization, order fulfillment, and data reporting. The code follows standard development practices, utilizing a modular architecture with clear separation of concerns across files like `bin/cli.js`, `src/api.js`, and `src/config.js`. It includes a functional mock API (`src/mock-api.js`) for testing and implements security best practices such as setting restrictive file permissions (0600) on local credential storage in `src/config.js`. No evidence of data exfiltration, unauthorized remote execution, or malicious prompt injection was found; all network activities are directed toward legitimate TikTok and Feishu (Lark) API endpoints as described in the documentation.

Capability Assessment

⚠ Purpose & Capability

The skill's name/description (TikTok Shop automation) matches the code: it implements product, order, video, analytics and Feishu integration. However the registry metadata declares no required environment variables or primary credential while SKILL.md and the code clearly expect TikTok API keys/secrets, shop ID, Feishu appToken/tableId/webhook and session cookies for accounts. That mismatch between declared registry requirements and actual runtime needs is an incoherence worth flagging.

⚠ Instruction Scope

SKILL.md instructs users to provide TikTok API credentials and webhook secrets and shows CLI commands and scheduled workflows — all consistent with purpose. The runtime code, however, uses a local config directory (~/.clawhub/tiktok-shop) to store configs/credentials and prompts for values via init. Instructions and code diverge on how credentials are provided (env vars in SKILL.md vs interactive config file in code). The code reads/writes only its own config and credentials files; it does not appear to instruct reading unrelated system files or exfiltrating data to unknown endpoints, but it will store session cookies and API secrets locally which are sensitive.

✓ Install Mechanism

There is no install spec (instruction-only style for the registry), but the package includes JavaScript code (CLI). No downloads from third-party URLs or extract steps are present. Risk is typical for running a third-party CLI: the code will execute on the host when invoked and will write configuration files to the user's home directory.

⚠ Credentials

Requested secrets (TikTok API key/secret/shopId, Feishu tokens/webhook, and session cookies entered via add-account) are appropriate for the skill's claimed functionality. The problem is registry metadata omitted declaring required env vars/primary credential while SKILL.md documents them — this omission reduces transparency. Also the skill stores session cookies and API secrets in local files (credentials.json) which is expected but sensitive; the code attempts to set restrictive permissions on saved credentials (0o600) which is good practice.

✓ Persistence & Privilege

always is false and the skill does not request system-wide privileges. It creates and maintains its own config directory under the user's home (~/.clawhub/tiktok-shop) and saves config and credentials there (expected for a CLI tool). It does not modify other skills or global agent settings in the code reviewed. Note: the skill can be executed autonomously by an agent (default platform behavior), but that alone is not flagged here.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install tiktok-shop-publish
After installation, invoke the skill by name or use /tiktok-shop-publish
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

TikTok Shop Automation Skill v1.0.0 - Initial public release - Includes comprehensive product management features - Automated order processing capabilities - Basic sales and product analytics - Marketing automation tools for coupons, livestreams, affiliate, and ads

Metadata

Slug tiktok-shop-publish

Version 1.0.0

License MIT-0

All-time Installs 3

Active Installs 3

Total Versions 1

Frequently Asked Questions

What is Tiktok Shop Publish?

Automate TikTok Shop operations with batch product management, order processing, sales analytics, and marketing campaign automation. It is an AI Agent Skill for Claude Code / OpenClaw, with 504 downloads so far.

How do I install Tiktok Shop Publish?

Run "/install tiktok-shop-publish" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Tiktok Shop Publish free?

Yes, Tiktok Shop Publish is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Tiktok Shop Publish support?

Tiktok Shop Publish is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Tiktok Shop Publish?

It is built and maintained by lvjunjie-byte (@lvjunjie-byte); the current version is v1.0.0.

More Skills