v1.0.0

A skill that automates repurposing Chinese social videos (Douyin/Bilibili/Xiaohongshu) to international platforms (TikTok/YouTube/Instagram) via the Lumi API — handling translation, AI dubbing, and publishing in one workflow.

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:50 AM.

Analysis

This skill is coherent for Lumi social-media automation, but it needs review because it can use your Lumi key to automatically publish videos to connected TikTok, YouTube, and Instagram accounts.

GuidanceInstall only if you trust Lumi and want an agent to help publish through your connected social accounts. Before use, verify the exact account, platform, caption, visibility, and final localized video, and avoid automatic public posting unless you are comfortable with the result appearing publicly.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

TikTok 隐私设置 | 可选 | 默认 PUBLIC_TO_EVERYONE ... **autoPublish 默认启用** ... 必须始终设置 `autoPublish` 字段，无需额外询问用户是否自动发布。

The workflow defaults TikTok posting to public and requires autoPublish when platforms are selected, without a separate final approval step after translation/dubbing completes.

User impactA mistaken source link, caption, account choice, or AI-generated translation could be posted publicly to one or more connected social accounts before the user reviews the final video.

RecommendationRequire explicit final confirmation before publishing, show the selected accounts/caption/privacy settings and a preview or output link first, and default privacy to private, unlisted, or self-only unless the user explicitly chooses public.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

_meta.json

"owner": "lumi", "slug": "lumi-api", "latest": { "version": "0.2.0" }

The packaged metadata does not match the supplied registry slug/version for the evaluated skill, creating a provenance ambiguity for a credentialed publishing tool.

User impactUsers may have less certainty that the installed package corresponds to the registry entry they reviewed.

RecommendationVerify the skill's official Lumi source, homepage, slug, and version before installing or providing a Lumi API key.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Auth: `Authorization: Bearer $LUMI_API_KEY` ... 调用 `GET /api/v1/connections` 获取目标平台的 `connectionId`

The Lumi API key is used to enumerate connected social accounts and perform actions against them, which is expected for the skill but is sensitive delegated account authority.

User impactIf the key is misused, actions could be taken through the user's connected Lumi social accounts, including publishing videos or viewing account-related information.

RecommendationUse a dedicated least-privilege Lumi key if available, keep it out of chat logs and shared environments, verify connected accounts before posting, and revoke or rotate the key when no longer needed.