Security Audit

tiktok-android-bot

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

tiktok-android-bot received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 27 findings: 11 critical, 11 high, 4 medium, and 0 low severity. Key findings include Unsafe environment variable passthrough, Arbitrary command execution, Credential harvesting.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

79%

LLM Behavioral Safety

63%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

2 findings

Shell Execution

18 findings

Dynamic Code

2 findings

Excessive Permissions

2 findings

Security Findings27

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/mladjan/tiktok-android/run_complete_session.py:27
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/mladjan/tiktok-android/run_full_campaign.py:248
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/mladjan/tiktok-android/src/bot/android/tiktok_android_bot.py:35
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/mladjan/tiktok-android/src/bot/android/tiktok_android_bot.py:57
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/mladjan/tiktok-android/src/bot/android/tiktok_android_bot.py:166
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/mladjan/tiktok-android/src/bot/android/tiktok_android_bot.py:363
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/mladjan/tiktok-android/tiktok_bot.py:51
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/mladjan/tiktok-android/tiktok_bot.py:88
CRITICAL	Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores.	Manifest	skills/mladjan/tiktok-android/src/ai_comments.py:13
CRITICAL	Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores.	Manifest	skills/mladjan/tiktok-android/src/ai_comments.py:54
CRITICAL	Dangerous call: os.system() Call to 'os.system()' detected in function '<module>'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/mladjan/tiktok-android/tiktok_bot.py:51
HIGH	Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough.	Manifest	skills/mladjan/tiktok-android/src/ai_comments.py:13
HIGH	Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough.	Manifest	skills/mladjan/tiktok-android/src/ai_comments.py:54
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/mladjan/tiktok-android/run_complete_session.py:27
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/mladjan/tiktok-android/run_full_campaign.py:248
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_is_device_connected'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/mladjan/tiktok-android/src/bot/android/tiktok_android_bot.py:35
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_adb_shell'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/mladjan/tiktok-android/src/bot/android/tiktok_android_bot.py:57
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'take_screenshot'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/mladjan/tiktok-android/src/bot/android/tiktok_android_bot.py:363
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'install_tiktok'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/mladjan/tiktok-android/src/bot/android/tiktok_android_bot.py:166
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_device_id'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/mladjan/tiktok-android/tiktok_bot.py:88
HIGH	User-configurable AI prompt allows LLM manipulation The `AI_COMMENT_PROMPT` in `config.py` can be set by the user via `setup.py`. This prompt is directly used to instruct an external Large Language Model (LLM) (Claude/GPT) to generate comments. A malicious user could craft a prompt to manipulate the LLM's behavior, leading to the generation of inappropriate, harmful, or misleading content that is then posted to TikTok. While the generated comment is sanitized for shell injection before posting, the LLM itself can be coerced into undesirable outputs. Implement strict validation and sanitization of user-provided `AI_COMMENT_PROMPT` to limit its ability to manipulate the LLM. Consider using a fixed prompt structure with user input only filling specific, constrained slots, rather than allowing free-form prompt modification.	LLM	src/ai_comments.py:16
HIGH	Screenshots of user activity sent to external AI services The skill captures screenshots of the user's TikTok feed and videos (`bot.take_screenshot`) and sends these images to third-party AI services (Anthropic, OpenAI, OpenRouter) for analysis and comment generation. These screenshots may contain sensitive personal information, faces, or private content visible on the user's TikTok feed. Sending this visual data to external services constitutes data exfiltration to those services. Users should be explicitly aware of this data sharing. Clearly inform users that screenshots of their TikTok activity will be sent to third-party AI providers. Provide an option to disable AI-generated comments or to use a local, privacy-preserving alternative if available. Ensure that no personally identifiable information (beyond what's visible on the public TikTok feed) is inadvertently captured or transmitted.	LLM	src/ai_comments.py:20
MEDIUM	Unpinned Python dependency version Requirement 'loguru>=0.7.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/mladjan/tiktok-android/requirements.txt:1
MEDIUM	Unpinned Python dependency version Requirement 'anthropic>=0.18.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/mladjan/tiktok-android/requirements.txt:2
MEDIUM	Unpinned Python dependency version Requirement 'openai>=1.12.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'.	Dependencies	skills/mladjan/tiktok-android/requirements.txt:3
MEDIUM	Use of `os.system` for script execution The `tiktok_bot.py` script uses `os.system("python3 setup.py")` to invoke the setup wizard. While `setup.py` is a trusted script within the package, `os.system` executes commands via the system's shell. This method is generally less secure than `subprocess.run` with `shell=False` because it can be vulnerable to command injection if the command string or its components are derived from untrusted input, or if the execution environment (e.g., `PATH` variable) is compromised. In this specific case, the command string is hardcoded, reducing immediate risk, but it's a less robust practice. Replace `os.system("python3 setup.py")` with `subprocess.run([sys.executable, "setup.py"], check=True)`. This executes the script directly without involving the shell, making it more secure and robust.	LLM	tiktok_bot.py:30
INFO	Dependencies are not fully pinned The `requirements.txt` file specifies dependencies using minimum versions (e.g., `loguru>=0.7.0`, `anthropic>=0.18.0`, `openai>=1.12.0`). While this allows for updates, it does not pin to exact versions. This introduces a minor supply chain risk where future versions of these libraries could introduce breaking changes, unexpected behavior, or even vulnerabilities without explicit review. Pin all dependencies to exact versions (e.g., `loguru==0.7.0`) to ensure reproducible builds and prevent unexpected changes from upstream packages. Use a tool like `pip-compile` or `pip freeze > requirements.txt` after verifying dependencies.	LLM	requirements.txt:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/1badb43935e11558.svg)](https://skillshield.io/report/1badb43935e11558)