Tiktok Shop Publish

Automate TikTok Shop operations with batch product management, order processing, sales analytics, and marketing campaign automation.

This package mostly does what it says (TikTok Shop automation) but review before running: - Manifest mismatch: the registry metadata lists no required credentials, yet SKILL.md and the code require TikTok API keys/secrets, shop ID, and Feishu credentials or webhook. Treat that as a transparency issue—confirm the required secrets with the publisher before installing. - Sensitive data: the tool stores API keys, webhook URLs and session cookies in ~/.clawhub/tiktok-shop/config.json and credentials.json (the code sets 0o600 on credentials.json on non-Windows). Only install/run if you trust the source and are comfortable storing these secrets on the machine. - Code quality issue: commands/account.js exports a getCurrentAccount function that calls getCurrentAccount() and will recurse — this looks like a bug that can crash runtime calls that depend on it. Consider obtaining a fixed version or running tests in a sandbox before using in production. - Mock vs real API: the real TikTok API methods are unimplemented and the default is Mock mode. Real-mode requires you to populate real credentials and switch modes; verify the real API code before enabling it. - Verify provenance: source/homepage are listed as unknown/none in the registry snapshot you provided; the package contains a clawhub.json claiming ClawHub and a GitHub URL—confirm the upstream repository and publisher identity (and check commit history) before trusting and supplying secrets. - Safe testing: run the CLI in a controlled environment (isolated VM/container) first, inspect files it creates, and avoid entering production credentials until you confirm behavior. If you must use it, prefer creating dedicated API keys/accounts with limited permissions and rotate credentials after testing.

Type: OpenClaw Skill Name: tiktok-shop-publish Version: 1.0.0 The TikTok Shop Automation skill bundle is a well-structured CLI tool designed for e-commerce management, including product synchronization, order fulfillment, and data reporting. The code follows standard development practices, utilizing a modular architecture with clear separation of concerns across files like `bin/cli.js`, `src/api.js`, and `src/config.js`. It includes a functional mock API (`src/mock-api.js`) for testing and implements security best practices such as setting restrictive file permissions (0600) on local credential storage in `src/config.js`. No evidence of data exfiltration, unauthorized remote execution, or malicious prompt injection was found; all network activities are directed toward legitimate TikTok and Feishu (Lark) API endpoints as described in the documentation.