TikTok Packager
PassAudited by ClawScan on May 10, 2026.
Overview
This skill largely does what it says: it generates local TikTok-style slide assets, with a clearly optional Postiz upload path that uses API credentials.
This appears safe for local slide generation. Before enabling --postiz, confirm you want the generated slides and caption sent to Postiz, use a trusted POSTIZ_BASE_URL, and keep API credentials scoped and temporary where possible.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill will execute local Node and Python code to render and validate images.
The skill executes a local Python renderer, which is expected for generating PNG slides but means installing/running the skill executes bundled helper code.
const result = spawnSync("python3", ["scripts/render_slides_pillow.py", "--spec", specPath, "--out", slidesDir, "--font", fontPath], { stdio: "inherit" });Run it from the intended skill directory, review helper scripts if you are cautious, and use --dry-run when you want to avoid rendering/uploading.
If --postiz is used, the skill can upload the generated slides and create a Postiz/TikTok draft rather than staying local-only.
The optional Postiz path sends generated media and caption content to create a draft/private post, which is purpose-aligned but mutates a third-party account.
const payload = { integrationId, caption, media: mediaRefs, privacy_level: "SELF_ONLY", content_posting_method: "UPLOAD" }; ... fetch(`${baseUrl}/posts`, { method: "POST", ... })Use --postiz only when you intend to create a draft; otherwise run without it or use --no-upload/--dry-run.
A Postiz API key gives the skill permission to upload media and create drafts for the configured integration.
The optional upload flow uses a Postiz API key from the environment as delegated account authority.
const apiKey = requireEnv("POSTIZ_API_KEY"); ... headers: { Authorization: apiKey }Use the least-privileged Postiz key available, keep POSTIZ_BASE_URL pointed at a trusted endpoint, and unset credentials when not using uploads.