ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TikTok Content Pipeline

v1.0.4

Automates TikTok carousel content creation, smart scheduling, publishing via Postiz API, and analytics-driven optimization for niche accounts.

0· 424·1 current·1 all-time
byMatt Tandy@matttandy855
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and source clearly require a Postiz API key and a TikTok integration ID and rely on the external 'postiz' CLI and node dependencies (canvas/sharp/etc.). However the registry metadata lists no required env vars/credentials and claims no required binaries — an inconsistency. The credentials requested are appropriate for the stated purpose (publishing/analytics) but the packaging/metadata omission is a red flag.
Instruction Scope
Runtime instructions and code stay within the stated scope: generating carousel slides, scheduling, calling Postiz CLI for publishing and analytics, and writing data under accounts/ and output/. The skill can run external CLI commands via execSync to invoke Postiz; the code uses shell-escaping helpers before embedding user/config values into those commands. Note: the 'auto-improve' mode can modify account configs and auto-post — the doc correctly warns to test on a throwaway account.
!
Install Mechanism
Registry lists no install spec (marked as instruction-only) but the package includes full source and SETUP.md that requires 'npm install' and a global 'postiz-cli' installation; native dependencies (canvas, sharp) are declared and may require build toolchains. The absence of an explicit install spec in the registry combined with included code/files is inconsistent and increases risk because an installer might not automatically run required steps or might misrepresent what will be written/executed.
!
Credentials
The SKILL.md requires POSTIZ_API_KEY and a TikTok Integration ID (stored per-account config). Those credentials are proportional to the claimed functionality. However the registry metadata declares no required env vars or primary credential — a mismatch that could mislead users about what secrets the skill needs. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills' configs. It writes per-account files under its own directories and can auto-implement actions only within account configs. Autonomous invocation is enabled (platform default); combined with 'auto-improve' the skill could auto-post, so exercise caution when granting it runtime autonomy.
What to consider before installing
This package generally does what it says (generate/schedule/post via Postiz), but several inconsistencies merit caution: - Metadata mismatch: The registry entry claims no required env vars/binaries, but SKILL.md and code require POSTIZ_API_KEY, a TikTok integration ID, Node.js, and the 'postiz' CLI. Treat the registry metadata as unreliable until corrected. - Before installing: inspect package.json and SETUP.md, and confirm postiz-cli's origin (npm page or official Postiz site). Native deps like canvas/sharp can require build tools—install in a controlled environment. - Secrets: Provide POSTIZ_API_KEY only via a secure environment variable or secret manager; do not commit API keys into repo config files. If you must store config files, add them to .gitignore as recommended. - Test safely: Use a throwaway/test TikTok account and test templates and 'auto-improve' in dry-run mode first to confirm behavior (the skill can auto-post and auto-modify account configs). - Audit packages: Run 'npm install' in an isolated environment, then 'npm audit' and review dependencies for native code or uncommon publishers. - Runtime autonomy: If you plan to enable autonomous invocation for an agent that has this skill, consider restricting that agent's scope or disabling auto-implement features to prevent unintended automated posting. If you want to proceed, ask the publisher or registry maintainer to correct the metadata (declare required env vars and required binaries/install steps) so you have an accurate inventory of what the skill will require.

Like a lobster shell, security has layers — review code before you run it.

latestvk970ngmpzdk6nmzzq0c0k19jg5820t60

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

TikTok Content Pipeline — OpenClaw Skill

Automated TikTok carousel content generation, publishing, scheduling, and analytics-driven optimization for any niche.

Overview

This skill provides a complete content pipeline for TikTok accounts. It handles:

  • Content Generation — AI-generated carousel slides with hooks, CTAs, and keyword overlays
  • Smart Scheduling — Research-backed posting times with account-age-aware frequency
  • Publishing — Post to TikTok via Postiz API (supports drafts, scheduled posts, multi-platform)
  • Analytics & Optimization — Track performance, diagnose issues, auto-implement improvements

Required Credentials

CredentialPurposeHow to Obtain
Postiz API KeyPublishing & analytics via Postiz CLISign up at postiz.com → Settings → API Keys
TikTok Integration IDLinks your TikTok account to PostizPostiz dashboard → Integrations → Add TikTok

Credential Storage (Important)

Recommended: Set POSTIZ_API_KEY as an environment variable (e.g. in ~/.zshrc or ~/.bashrc) rather than storing it in config files. The pipeline checks for this env var first.

Alternative: Store in accounts/<your-account>/config.json under postiz.apiKey. If using this approach, ensure the file is not committed to version control (add to .gitignore).

The Integration ID is account-specific and stored in per-account config.json.

Security Notes

  • This skill executes the postiz CLI via shell commands. All arguments are escaped to prevent injection.
  • The skill writes files only within its own accounts/ and output/ directories.
  • auto-improve mode can modify account configs and auto-post — test on a throwback account first.
  • Run npm audit after installing dependencies to check for known vulnerabilities.

Quick Setup

  1. Set your Postiz API key: export POSTIZ_API_KEY="your-key-here"
  2. Copy config.example.json to accounts/<your-account>/config.json
  3. Fill in your TikTok integration ID
  4. Create or adapt a template in templates/ for your niche
  5. Run: node cli.js create <account> --template <template-name>

See SETUP.md for the full setup guide.

How to Use This Skill

1. Create a New Account

node cli.js create my-brand --template example-nostalgia

This copies the template into accounts/my-brand/ and sets createdAt to now.

2. Configure the Account

Edit accounts/my-brand/config.json:

{
  "account": { "name": "my-brand", "handle": "@mybrand", "niche": "your-niche", "createdAt": "2026-01-15T00:00:00Z" },
  "postiz": { "apiKey": "YOUR_KEY", "integrationId": "YOUR_TIKTOK_ID" },
  "posting": { "timezone": "Europe/London" }
}

Or use the CLI:

node cli.js config my-brand --handle @mybrand --integration-id YOUR_ID --api-key YOUR_KEY

3. Generate Content

node cli.js generate my-brand --type showcase
node cli.js generate my-brand --type showcase --post  # Generate and post as draft

The generator uses the template's generator.js to create carousel slides, applies hooks from config, adds keyword overlays for TikTok SEO, and outputs to accounts/my-brand/output/.

4. Check the Posting Schedule

node cli.js schedule my-brand          # This week's schedule
node cli.js schedule my-brand --next   # Next optimal posting slot

The scheduler automatically adjusts frequency based on account age:

  • Days 0-24: Daily posting (building momentum)
  • Days 25-30: Taper from 7 → 4 posts/week
  • Day 31+: 3-4 posts/week on optimal days

5. Run Analytics

node cli.js analytics my-brand --days 7
node cli.js analytics my-brand --days 7 --auto-improve  # Auto-implement fixes

Research-Backed Viral Mechanics

These findings are baked into the framework's scheduling, optimization, and content scoring:

Algorithm Priority Signals

  1. Watch time & completion rate — most critical signal. 80%+ completion = 5x reach.
  2. First 3-second hook — determines whether content gets distributed at all.
  3. Shares — strongest engagement signal for virality.
  4. Saves — growing importance. 15%+ save-to-view = high-value content.
  5. Comment engagement — quality conversations > generic comments.

Posting Strategy

  • 3-4 posts/week is optimal for established accounts (NOT 3/day — that hurts reach)
  • Best days: Wednesday, Tuesday, Thursday
  • Best times: Tue 5pm, Wed 2-5pm, Thu 3-5pm
  • New accounts: Post daily for first 30 days to build momentum
  • Max 1 post/day for established accounts (2/day max for new accounts)

Carousel Advantages

  • 3x more saves than standard video
  • 40% longer dwell time when users engage
  • Lower production barrier — slides are easier to produce than video
  • 5-7 slides optimal for maintaining attention
  • First slide is everything — must hook immediately

Hook Patterns That Work

TypeExampleAvg Engagement
Contradiction"Everyone thinks X, but actually..."9%+
Challenge"If you used X, you had no skill 😂"11%+
Gatekeeping"Only real ones remember..."8%+
POV"POV: You just discovered..."7%+
Nostalgia"Remember this? 🔥"6%+
Question"Would you do this? Yes or no 👇"8%+

Content Scoring

The ViralOptimizer scores content before posting (0-100):

  • Hook quality (40% weight) — length, power words, emoji, question format
  • Structure (30% weight) — slide count, audio, format
  • Engagement potential (30% weight) — CTA presence, opinion-split, hashtag count

Verdicts:

  • 80+ = 🔥 HIGH VIRAL POTENTIAL — Post immediately
  • 65+ = ✅ GOOD — Ready to post
  • 50+ = ⚠️ DECENT — Consider optimizing
  • 35+ = 🔧 NEEDS WORK — Apply suggestions
  • <35 = ❌ LOW POTENTIAL — Rethink approach

Diagnostic Matrix

When analyzing post performance, use this matrix to decide what to fix:

ViewsEngagementDiagnosisAction
High (>1000)High (>5%)SCALECreate 3 variations of this content. Test same hook with different visuals.
High (>1000)Low (<3%)FIX CTAHook is working — add stronger call-to-action. Add opinion-split or challenge.
Low (<500)High saves (>10%)FIX HOOKContent converts — needs better opening hook. Test trending audio. Stronger first-slide text.
Low (<500)Low (<3%)FULL RESETTry radically different format. Research top creators in niche. Test different posting time.

Key Thresholds

MetricTargetViralPoor
Completion rate80%90%40%
Save-to-view ratio15%25%3%
Share rate8%15%2%
Comment rate5%10%1%
Profile visit rate12%20%3%
Follower conversion8%15%2%

Creating a Custom Template

Templates define the content types, hooks, hashtags, and generation logic for a niche.

Template Structure

templates/your-niche/
├── config.json      # Content types, hooks, hashtags, settings
├── generator.js     # Content generation logic (extends ContentGenerator)
└── README.md        # Template documentation

config.json Required Fields

{
  "account": { "template": "your-niche", "niche": "Your Niche" },
  "content": {
    "types": {
      "your-content-type": { "description": "...", "slides": 6 }
    },
    "hashtagSets": {
      "default": ["#yourniche", "#fyp"]
    }
  },
  "hooks": {
    "your-content-type": ["Hook text 1", "Hook with {placeholder} 2"]
  },
  "posting": { "timezone": "Europe/London" }
}

generator.js Pattern

const ContentGenerator = require('../../core/ContentGenerator');

class YourNicheGenerator extends ContentGenerator {
  getSupportedTypes() {
    return Object.keys(this.config.content.types);
  }

  async _generateContent(contentType, options, outputDir) {
    this._ensureOutputDir(outputDir);
    const hook = this.getSlide1Hook(contentType, options);
    // Generate slides using sharp/canvas/ImageMagick
    // Return { slides: [...paths], hook: hook.text, caption: '...' }
  }
}

module.exports = YourNicheGenerator;

Architecture

tiktok-content-pipeline/
├── cli.js                    # Universal CLI
├── core/
│   ├── ContentGenerator.js   # Abstract base for content generation
│   ├── Publisher.js          # Postiz API integration
│   ├── PostingScheduler.js   # Smart scheduling engine
│   ├── ViralOptimizer.js     # Content scoring & optimization
│   └── AnalyticsEngine.js    # Performance tracking & insights
├── accounts/                 # Per-account configs & output (created at runtime)
└── templates/                # Niche templates
    └── example-nostalgia/    # Example template to fork

Core Components

  • ContentGenerator — Abstract base class. Subclass it per niche. Handles hooks, question hooks, keyword overlays, placeholder replacement.
  • Publisher — Posts to TikTok (and other platforms) via Postiz CLI. Handles media upload, scheduling, draft mode, and post metadata saving.
  • PostingScheduler — Account-age-aware scheduling. Knows optimal days/times from research. Supports weekly schedule generation and overdue detection.
  • ViralOptimizer — Pre-post content scoring. Post-performance diagnostic matrix. Hook pattern library with engagement-weighted selection.
  • AnalyticsEngine — Pulls metrics from Postiz API. Generates reports with alerts, opportunities, and auto-implementable actions.

Files

13 total
Select a file
Select a file to preview.

Comments

Loading comments…