v1.0.0

tiktok-carousel

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:58 AM.

Analysis

The skill appears to match its stated purpose, but users should notice that it installs Python packages, uses OpenAI/Postiz API keys, and can upload generated media to create a TikTok draft.

GuidanceThis looks suitable for its stated purpose if you are comfortable with OpenAI image-generation costs and Postiz draft creation. Before installing, use a virtual environment, keep API keys out of source control, verify POSTIZ_API_URL if you set it, and review generated media/captions before uploading or publishing.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

postiz_api_integration.py

resp = requests.post(url, headers=headers, files=files) ... url = f"{POSTIZ_API_URL}/tiktok/create_draft"

The skill can upload local image files to Postiz and create a TikTok draft, which is expected for the stated purpose but still changes a connected third-party account.

User impactIf invoked with selected images and a caption, the skill can create draft content in the user's Postiz/TikTok workflow.

RecommendationReview the images and caption before upload, keep draft-only behavior, and confirm final publishing remains manual.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

requirements.txt

openai>=1.0.0
requests>=2.28.0
Pillow>=10.0.0
python-dotenv>=1.0.0

Dependencies are installed from package names with lower-bound version ranges rather than pinned versions, which is common but leaves exact installed versions variable.

User impactFuture dependency versions could behave differently from the versions originally tested by the skill author.

RecommendationInstall in a virtual environment and consider pinning or locking dependency versions before production use.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Create environment variables: `OPENAI_API_KEY` (for image/text generation) and `POSTIZ_API_KEY` (optional, for uploading and creating drafts).

The skill uses provider credentials that can incur API costs and authorize account actions; this is expected, but the registry metadata does not declare a primary credential.

User impactExposed or overly broad keys could be abused to spend API credits or act on the connected Postiz account.

RecommendationUse environment variables or a secrets manager, prefer scoped/revocable keys where available, and monitor OpenAI/Postiz usage.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

tiktok_content_gen.py

response = client.images.generate(
        model="gpt-image-1",
        prompt=prompt,

User-provided topic/persona/style content is incorporated into prompts sent to the OpenAI image provider, which is disclosed and central to the skill's purpose.

User impactTopics, style hints, and generated content may leave the local environment and be processed by external providers.

RecommendationAvoid using confidential topics or private business information unless the provider terms and account settings are acceptable.