tiktok-carousel
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill appears to match its stated purpose, but users should notice that it installs Python packages, uses OpenAI/Postiz API keys, and can upload generated media to create a TikTok draft.
This looks suitable for its stated purpose if you are comfortable with OpenAI image-generation costs and Postiz draft creation. Before installing, use a virtual environment, keep API keys out of source control, verify POSTIZ_API_URL if you set it, and review generated media/captions before uploading or publishing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with selected images and a caption, the skill can create draft content in the user's Postiz/TikTok workflow.
The skill can upload local image files to Postiz and create a TikTok draft, which is expected for the stated purpose but still changes a connected third-party account.
resp = requests.post(url, headers=headers, files=files) ... url = f"{POSTIZ_API_URL}/tiktok/create_draft"Review the images and caption before upload, keep draft-only behavior, and confirm final publishing remains manual.
Exposed or overly broad keys could be abused to spend API credits or act on the connected Postiz account.
The skill uses provider credentials that can incur API costs and authorize account actions; this is expected, but the registry metadata does not declare a primary credential.
Create environment variables: `OPENAI_API_KEY` (for image/text generation) and `POSTIZ_API_KEY` (optional, for uploading and creating drafts).
Use environment variables or a secrets manager, prefer scoped/revocable keys where available, and monitor OpenAI/Postiz usage.
Future dependency versions could behave differently from the versions originally tested by the skill author.
Dependencies are installed from package names with lower-bound version ranges rather than pinned versions, which is common but leaves exact installed versions variable.
openai>=1.0.0 requests>=2.28.0 Pillow>=10.0.0 python-dotenv>=1.0.0
Install in a virtual environment and consider pinning or locking dependency versions before production use.
Topics, style hints, and generated content may leave the local environment and be processed by external providers.
User-provided topic/persona/style content is incorporated into prompts sent to the OpenAI image provider, which is disclosed and central to the skill's purpose.
response = client.images.generate(
model="gpt-image-1",
prompt=prompt,Avoid using confidential topics or private business information unless the provider terms and account settings are acceptable.