ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

tiktok-carousel

v1.0.0

Generates a 6-slide TikTok carousel with images and text, creates a draft post via Postiz API, and outputs a caption for review and publishing.

0· 509·0 current·0 all-time
byOtman Heddouch@otman-ai
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's code implements exactly what the description says: generates images/captions and can upload media/create a TikTok draft via a Postiz client. However, the package registry metadata declares no required environment variables or primary credential, while the SKILL.md and code clearly require OPENAI_API_KEY to generate images (optional placeholder fallback) and POSTIZ_API_KEY (and optionally POSTIZ_API_URL) to upload/create drafts. That metadata omission is inconsistent with the declared purpose.
Instruction Scope
SKILL.md gives narrow, specific instructions (create venv, pip install -r requirements.txt, set OPENAI_API_KEY and POSTIZ_API_KEY, run scripts). The runtime code only reads those environment variables and operates on files in the images output folder. It does not attempt to read unrelated system files, credentials, or broad system state, nor does it send data to endpoints other than OpenAI (image generation) and Postiz (upload/default URL).
Install Mechanism
There is no install script that downloads arbitrary archives — the skill is delivered as Python source plus requirements.txt. Dependencies are standard (openai, requests, Pillow). No remote extract/install URLs or obscure package sources are used. This is lower risk than a remote binary download, but installing Python packages still pulls third-party code from PyPI.
!
Credentials
The code legitimately uses OPENAI_API_KEY and POSTIZ_API_KEY (and POSTIZ_API_URL). Requiring those API keys is proportionate to the stated tasks, but the registry metadata lists no required env vars or primary credential — an incoherence that could confuse users or hide the need to supply secrets. Also, POSTIZ_API_URL defaults to https://api.postiz.com/v1; the Postiz service and domain are not documented in the skill metadata, and the source/homepage is unknown, so you should verify the target API's trustworthiness before providing keys.
Persistence & Privilege
The skill does not request persistent or elevated privileges. 'always' is false, autonomous invocation is allowed (platform default), and the code does not modify other skills, system-wide agent settings, or write to global configs. It only writes generated images and a caption into the local output directory.
What to consider before installing
This skill's code appears to do what it claims (generate images/captions and optionally upload drafts to Postiz), but the registry metadata failing to declare required env vars (OPENAI_API_KEY and POSTIZ_API_KEY) is an inconsistency you should address before installing. Before use: 1) Verify the skill's provenance — ask the publisher for a homepage or repo and confirm you trust it. 2) Confirm the Postiz service (api.postiz.com) is legitimate and review its API docs; if uncertain, do not provide your production POSTIZ_API_KEY. 3) Use limited-scope or temporary API keys and avoid reusing high-privilege keys. 4) Run first in an isolated environment (VM/container) and monitor outbound network requests (or run under a local HTTP proxy) to observe what endpoints are contacted. 5) If you won't use Postiz, remove/disable postiz_api_integration.py or avoid running scripts/upload.py. 6) Request that the registry entry be updated to list OpenAI and Postiz credentials explicitly and provide a homepage/source for auditing — that would raise confidence from suspicious to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dm2et2m3k6etandz5jt0tcs81mkef
509downloads
0stars
1versions
Updated 5h ago
v1.0.0
MIT-0
Otman Heddouch@otman-ai
latest
Download

TikTok Carousel Generation Skill (openclaw-style)

Short description

This skill generates a 6-slide TikTok carousel (portrait images + text overlays), drafts a TikTok post using a draft API (Postiz in this repository), and outputs a ready-to-review caption. The focus is cost-effective, reproducible content generation and automating as much of the drafting process as possible while keeping final publishing manual.

Quick install & run

  1. Create and activate a Python virtual environment.
  2. Install dependencies: pip install -r requirements.txt.
  3. Create environment variables: OPENAI_API_KEY (for image/text generation) and POSTIZ_API_KEY (optional, for uploading and creating drafts).
  4. Run the generator (examples in README.md / scripts/).

What this skill contains

  • tiktok_content_gen.py — orchestrator: creates hook, locked architecture, images, captions and can upload a draft.
  • postiz_api_integration.py — small Postiz client used to upload media and create drafts (keeps drafts private by default).
  • scripts/generate.py — thin CLI wrapper to run generation locally.
  • scripts/upload.py — CLI wrapper to upload generated images and create a draft.
  • requirements.txt — Python dependencies.

Inputs / outputs (contract)

  • Inputs: target persona/topic, optional prompt seeds, number of slides (default 6), style hints.
  • Outputs: images/final_slide_{i}.png, caption.txt, optional Postiz draft (returns draft id/url).

Security & cost notes

  • Keep API keys out of source control and use environment variables.
  • Image generation costs depend on the model (DALL·E 3 or similar). Use batching or lower-res variants for cost savings.

Installation details and examples are in README.md inside this folder.

Comments

Loading comments...