autoecom
PassAudited by ClawScan on May 9, 2026.
Overview
The skill is coherent for scheduled ecommerce carousel publishing, but it needs social-posting credentials and recurring automation that users should deliberately approve.
Install this only if you want an agent to generate ecommerce social content on a recurring schedule. Before enabling it, verify the repository/source, configure dedicated API keys, confirm the Upload-Post profile connects only the intended Instagram and TikTok accounts, keep the approval-before-publish step, and know how to disable the daily and weekly routines.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved or misconfigured, a run can create Instagram and TikTok content for the connected profile.
The workflow includes a tool path that publishes or drafts content on connected social accounts. This is central to the skill's purpose, but it affects public/business channels.
9. **Publish** — multipart POST to Upload-Post → IG carousel + TikTok draft.
Confirm the Upload-Post profile points only to the intended accounts, preview every carousel, and keep the approval step before publishing.
The skill can use paid/privileged provider APIs and publish through the configured Upload-Post profile.
The skill requires API credentials for Gemini and Upload-Post. These are expected for generation and publishing, but they grant delegated authority and should be handled carefully.
env: [STORE_URL, GEMINI_API_KEY, UPLOAD_POST_API_KEY, UPLOAD_POST_PROFILE]
Use dedicated API keys where possible, keep them in the .env file only, do not paste them into chat after setup, and revoke them if the skill is no longer used.
The agent may run the carousel workflow and learning workflow on a schedule until the routines are disabled.
The skill asks the harness to create recurring daily and weekly routines. This is disclosed and purpose-aligned, but it is persistent autonomous operation.
Two scheduled routines (REQUIRED — install on first run) ... the agent MUST verify both routines exist and offer to create whichever is missing.
Create the routines only if you want ongoing automation, record where they are installed, and periodically verify or remove the schedules.
Future carousels may be shaped by stored learning files; if those files are wrong or tampered with, future content quality or messaging could drift.
The skill stores HOT_HOOKS.md and HOT_IMAGERY.md learnings and reuses them in later content generation. This is an intended learning loop, but persistent context can influence future outputs.
Two evidence-backed priors are maintained from real engagement and re-injected into future runs
Review the learnings folder occasionally and restrict write access to the skill directory.
Installing from a remote repository runs code and dependencies outside the registry install metadata path.
The setup path asks an agent to clone a remote repository and install Python dependencies. This is a normal setup pattern for this skill, and requirements.txt pins versions, but users should still verify the source.
clone the repo into ~/Documents/skill-autoecom, create the venv, install requirements.txt
Clone only the expected repository, inspect the files before running, and consider pinning a commit or release tag.