Viraloop
WarnAudited by ClawScan on May 10, 2026.
Overview
Viraloop is clear about automating social posting, but it asks the agent to publish publicly without approval, persistently reschedule itself, and includes an unsafe shell command construction path.
Use this only if you are comfortable with automated public social posting. Before installing, patch the publish script to remove eval, disable or tightly control any daily scheduler, require a manual review before publishing, and use dedicated/least-privilege API tokens.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Mistaken, low-quality, or unwanted content could be posted publicly to TikTok and Instagram before the user sees it.
This directs the agent to perform a high-impact external action—publishing live social media posts—without an approval checkpoint or preview.
The agent executes the entire pipeline without asking for confirmation — from research to publishing — and only notifies you at the end with the published TikTok and Instagram URLs.
Require explicit user approval after slide/caption review and before publishing; consider drafts or private/test mode by default.
The skill could continue posting on future days or change when it runs, creating public activity the user may not expect.
The skill asks the agent to keep operating on a recurring schedule and modify automation timing, which is persistent autonomous behavior.
This skill is designed to run every day, fully autonomous... automatically adjust its own cron/automation schedule
Make scheduling opt-in, document the exact scheduler mechanism, require user approval for schedule changes, and provide a clear disable/cleanup command.
A malicious or malformed website/caption could cause the publishing script to run unintended local commands, potentially exposing credentials or altering files.
Caption text is inserted into a shell command string that is executed with eval. If the caption contains shell-breaking characters, it can turn generated or file-sourced text into local command execution.
CAPTION=$(cat "$CAPTION_FILE") ... CMD="$CMD -F 'title=$CAPTION_TRUNCATED'" ... RESPONSE=$(eval $CMD)
Remove eval and build the curl invocation with a shell array, e.g. curl arguments like -F "title=$CAPTION_TRUNCATED"; treat all website-derived text as untrusted.
Anyone or any process with this token may be able to publish to the connected accounts through Upload-Post.
The Upload-Post token is expected for this integration, but it grants delegated authority to publish and fetch analytics for connected social accounts.
UPLOADPOST_TOKEN | Upload-Post API token ... Images + Caption → Sent to Upload-Post API → Published to TikTok/Instagram
Use a dedicated brand/test account where possible, keep the token out of logs and shell history, rotate it if exposed, and verify Upload-Post permissions.
Bad data, poor-performing captions, or unwanted prompt patterns can be carried into future posts.
The skill intentionally persists analytics-derived guidance that will influence future content generation and scheduling.
The skill maintains a `learnings.json` that accumulates insights across all posts: Best performing hooks, Optimal posting times, Visual styles that work, CTAs that convert
Review and periodically clear or edit learnings.json, and avoid treating stored recommendations as authoritative without user review.
Future dependency versions could change behavior or introduce vulnerabilities.
The uv-managed Python dependencies use version ranges rather than pinned versions; README also instructs Playwright installation separately.
dependencies = [
"google-genai>=1.0.0",
"pillow>=10.0.0",
]Pin dependency versions, provide a lockfile or install spec, and document exactly what packages are installed.