Larry
WarnAudited by ClawScan on May 10, 2026.
Overview
Larry is a coherent TikTok marketing automation skill, but it under-declares sensitive account credentials, public posting authority, persistent scheduled activity, and local storage of revenue/customer analytics.
Only install this if you are comfortable giving the agent access to your social posting workflow and optional RevenueCat business data. Use draft/manual approval for posts, store API keys carefully, avoid saving transaction-level customer data unless necessary, and do not create the daily cron job unless you know how to disable it.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing users may not realize the skill needs credentials that can access social posting infrastructure and revenue/subscriber analytics.
The registry metadata declares no credential or config requirements, but the skill's scripts and references use Postiz API keys and RevenueCat secret keys. This under-declares account-level authority.
Required env vars: none; Primary credential: none; Required config paths: none
Declare Postiz and RevenueCat credentials explicitly, document the minimum scopes needed, and tell users where credentials are stored and how to revoke them.
A RevenueCat secret key may allow access to business and customer subscription data beyond simple marketing metrics.
The skill asks for RevenueCat secret API credentials, which can expose sensitive subscriber, purchase, and revenue information. This is optional but high-impact and not declared in the registry metadata.
"v1SecretKey": "sk_..." ... "Use the secret key (sk_), NOT the public key."
Use the least-privileged RevenueCat key available, avoid storing broad secret keys in plain local config when possible, and clearly separate optional RevenueCat access from required setup.
Customer purchase or transaction details could be retained locally in the marketing directory and reused in future reports.
The daily report fetches RevenueCat transactions and writes the returned metrics object, including transactions, into a local snapshot file. The artifacts do not show minimization, redaction, retention limits, or user review for this stored sensitive business/customer data.
transactions: transactions.items || [] ... fs.writeFileSync(rcSnapshotPath, JSON.stringify({ date: dateStr, ...rcMetrics }, null, 2));Store only aggregate metrics by default, redact customer identifiers, document retention, and require explicit opt-in before saving transaction-level RevenueCat data.
The skill could keep running daily and continue accessing Postiz and RevenueCat data after the initial setup unless the user knows how to stop it.
The skill recommends persistent scheduled execution. This is related to analytics, but the artifacts do not show clear approval, uninstall, retention, or disable instructions for the scheduled job.
Set up a cron job to run every morning before the first post (e.g. 7:00 AM user's timezone): Task: node scripts/daily-report.js --config tiktok-marketing/config.json --days 3
Ask for explicit approval before creating a cron job, show the exact schedule and command, and provide a clear disable/removal command.
Mistakes in generated content, captions, schedules, or platform selection could be published or cross-posted to multiple public channels.
Posting and cross-posting to public social platforms is central to the skill's purpose and disclosed, but it is high-impact account mutation authority.
posts via Postiz ... cross-posting to Instagram/YouTube/Threads ... analytics tracking
Use draft/manual-review mode by default, confirm each connected platform, and require user approval before publishing or cross-posting.
Setup may require installing packages and build tools that are not visible in the registry requirements.
The skill relies on local Node execution and an unpinned native npm dependency, but the registry says there is no install spec and no required binaries. This appears purpose-aligned, not hidden.
This skill does NOT bundle any dependencies... Node.js (v18+) ... node-canvas (`npm install canvas`) ... Your agent should research the install requirements for your OS.
Pin dependency versions, document OS-specific install steps, and declare Node/canvas requirements in metadata.
Product details and prompts may be sent to selected image-generation providers, and generated files will be written locally.
The script executes local Node code, calls external image-generation APIs, downloads generated images, and writes them to the user-selected output directory. This is expected for the stated slideshow-generation purpose.
fetch('https://api.openai.com/v1/images/generations' ...); ... fetch('https://api.replicate.com/v1/predictions' ...); ... fs.writeFileSync(outPath, buf);Review prompts before sending them to providers and use a dedicated output directory.