Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
LarrySkill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is purpose-aligned for TikTok marketing, but it asks for social-posting authority, API credentials, scheduled automation, and revenue/customer analytics access that users should review carefully.
Install only if you are comfortable giving the agent controlled access to your Postiz/social accounts and any image-generation or RevenueCat keys. Keep publishing approval manual, prefer drafts, pin/review dependencies, protect local report files, and do not connect production revenue credentials unless you need conversion reporting.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The agent could create or schedule public marketing posts on connected social accounts if given Postiz access.
Why it was flagged
Posting and cross-posting through Postiz can mutate public social accounts and publish content. This is aligned with the marketing purpose, but it is high-impact account authority and the artifacts do not clearly bound approval/review for every cross-posting path.
Skill content
posts via Postiz, tracks analytics, and iterates on what works... cross-posting to Instagram/YouTube/Threads
Recommendation
Connect only intended social accounts, keep posts as drafts where possible, and require explicit user approval before publishing or cross-posting.
What this means
A RevenueCat secret key can expose sensitive subscriber, purchase, and revenue data if mishandled.
Why it was flagged
The skill asks for high-privilege RevenueCat secret credentials for conversion tracking. That can be legitimate, but it exceeds the registry’s declared credential contract of no primary credential or required env vars.
Skill content
Get the **V1 Secret API Key** from RevenueCat Dashboard → Project Settings → API Keys. Use the **secret** key (sk_), NOT the public key.
Recommendation
Use the least-privileged key available, store it outside shared project files when possible, and revoke/rotate it if the skill is removed or shared.
What this means
Setup may install packages or build tools on the local machine, which can affect the environment.
Why it was flagged
The dependency is purpose-aligned, but it is unpinned and may require native build tools; there is no install spec to constrain exactly what gets installed.
Skill content
node-canvas (`npm install canvas`) — used for adding text overlays... Your agent should research the install requirements for your OS.
Recommendation
Install dependencies manually or in a dedicated project/container, pin package versions, and review OS-level install steps before approving them.
What this means
Local report files may contain revenue, transaction, or customer-related data that should not be casually shared.
Why it was flagged
When RevenueCat is enabled, the daily report stores RevenueCat metrics and transaction items in a local snapshot file. This is useful for reporting but persists sensitive business/customer data.
Skill content
transactions: transactions.items || [] ... fs.writeFileSync(rcSnapshotPath, JSON.stringify({ date: dateStr, ...rcMetrics }, null, 2));Recommendation
Keep the marketing directory private, avoid committing snapshots to source control, and periodically delete old RevenueCat snapshots if not needed.
What this means
The skill may keep fetching analytics and writing reports on a schedule.
Why it was flagged
The scheduled job is disclosed and purpose-aligned for daily analytics, but it is persistent automation that will continue running after setup unless the user disables it.
Skill content
Set up a cron job to run every morning before the first post
Recommendation
Create scheduled jobs only after explicit approval, document where the cron entry is installed, and remove it when the marketing automation is no longer wanted.
What this means
Following this guidance could put a TikTok account at risk if it violates platform rules or appears manipulative.
Why it was flagged
The onboarding guidance frames account warmup around avoiding bot detection and throttling. That may help marketing performance, but it can encourage platform-risky behavior and overtrust in automation.
Skill content
if you go straight from creating an account to posting AI slideshows, it flags you as a bot and kills your reach... Don't like everything — that's bot behaviour.
Recommendation
Review TikTok’s terms and avoid deceptive engagement patterns; use the skill for legitimate content planning rather than platform-signal manipulation.