tiktok-post

SUSPICIOUS: The skill is internally coherent and uses same-org Publora endpoints, so it does not look malicious. However, it grants a third-party remote MCP server a persistent API key and the ability to perform autonomous public posting on TikTok, which creates meaningful security and real-world action risk beyond a low-risk documentation skill.