TikTok Carousel Generator
Security checks across malware telemetry and agentic risk
Overview
This skill can generate TikTok carousels, but it asks for and stores TikTok session cookies for browser-based posting with unclear safeguards.
Install only if you are comfortable giving the skill TikTok session-level access. Use a separate TikTok account if possible, review every generated carousel before posting, inspect the scripts and dependency setup, and delete any saved tiktok_cookies.json file when you are done.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any automation with access to the saved cookie file may be able to act as your TikTok account.
The code saves and reuses TikTok browser session cookies, which can grant account-level access for actions as the user, but does not clearly define scope, storage protections, expiration, or safe handling.
COOKIES_FILE = DATA_DIR / "tiktok_cookies.json"
...
cookies = driver.get_cookies()
with open(COOKIES_FILE, 'w') as f:
json.dump(cookies, f)
...
for cookie in cookies:
driver.add_cookie(cookie)Use a dedicated/test TikTok account, store cookies securely, delete them when finished, and prefer scoped official OAuth/API access where possible.
Generated content could be prepared for posting under your TikTok account without a clearly documented final human review step.
The posting path uses headless browser automation, session cookies, and a stealth-like browser flag to reach TikTok upload flow; public posting is high-impact and the artifacts do not show an explicit preview/approval gate.
"""TikTok Poster
Posts carousels to TikTok using cookies"""
...
options.add_argument("--headless")
options.add_argument("--disable-blink-features=AutomationControlled")
...
upload_btn.click()Require an explicit preview and confirmation before any upload/post action, avoid stealth automation flags unless clearly justified, and document exact posting limits.
It is harder to know exactly which code and dependencies will run on your machine, especially for a skill that handles account cookies.
The package has unclear provenance, no install specification, and ships a large bundled virtual environment despite runnable scripts, making dependency review and reproducible installation difficult.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill. ... Code file presence 1724 code file(s): scripts/generate_carousel.py ... venv/lib/python3.14/site-packages/...
Publish a minimal package with a pinned lockfile, remove the bundled virtual environment, declare Python/Selenium/Chrome requirements, and provide a clear install spec.
Bad metrics or accidental inputs could steer future carousel strategy until the saved data is reviewed or cleared.
The learning loop persists performance-derived insights for future strategy changes, which is purpose-aligned but means incorrect or manipulated metrics can influence later content decisions.
strategy["last_updated"] = datetime.now().isoformat() strategy["insights"] = insights strategy_file.write_text(json.dumps(strategy, indent=2))
Review stored metrics and strategy files periodically, and provide a simple way to reset or edit the learning state.