Morfeo Content Pipeline
v2.0.0Autonomous pipeline generating TikTok videos simulating real Argentine brands with a final AI reveal by Morfeo Labs, posted as drafts 4 times daily.
⭐ 0· 274·1 current·1 all-time
byPaul de Lavallaz@pauldelavallaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to generate TikTok videos, which legitimately requires access to local brand assets, model catalogs, and external services (Gemini, Morpheus, VEED, ElevenLabs, TikTok). However the registry metadata lists no required env vars or config paths. The SKILL.md explicitly references local project paths (/home/ubuntu..., ~/clawd/...), deployment IDs, and a GitHub repo—these resource accesses are not declared, which is inconsistent and disproportionate.
Instruction Scope
Runtime instructions tell the agent to read files from user home directories, run PM2 under a specific project path, call multiple external image/voice/video deployments, select and push assets, and post drafts. Critically, the doc explicitly instructs authors to write prompts in English to "avoid Gemini moderation in Spanish," which is an instruction to evade safety controls. The instructions therefore go beyond innocuous content generation and grant broad filesystem and network scope without constraints.
Install Mechanism
This is an instruction-only skill with no install spec (lower disk footprint). That reduces install-time risk, but the skill still expects access to local repos, PM2-managed processes, and multiple external services at runtime, which keeps the operational risk high despite no installer.
Credentials
The workflow requires many external services (Gemini, Morpheus deployments, Multishot, VEED UGC, ElevenLabs voices, posting to TikTok, Git operations) that normally need API keys/tokens, yet the skill declares no required environment variables or primary credential. This mismatch suggests either missing metadata (sloppy) or an assumption that sensitive credentials already exist on the host—the latter is risky.
Persistence & Privilege
always:false and user-invocable:true (normal). The instructions do direct operations that can change local state (PM2, pushing to repos, writing files under the project path), but there is no claim of forcing always-on presence or altering other skills' configurations.
What to consider before installing
Before installing or running this skill, consider the following:
- The SKILL.md expects access to local project paths, PM2 processes, and many external services but lists no API keys or config paths—ask the author which credentials and file locations are required and why they weren't declared.
- The instructions explicitly say to write prompts in English to "avoid moderation"—that is an attempt to evade content safety controls and is a serious red flag; do not use this behavior on shared or production systems.
- The pipeline simulates real Argentine brands and pushes draft posts; confirm you have legal permission to use those brands and that posting will not impersonate or infringe rights.
- If you still want to test it, run the skill in an isolated environment (ephemeral VM or container) with no production credentials, and ensure any API keys are scoped/revocable. Ask the publisher for a detailed list of required credentials, network endpoints, and an explicit privacy/safety explanation before granting access.Like a lobster shell, security has layers — review code before you run it.
argentinavk97606bww1axykhb1fpxze24mh826n15latestvk972cyged6ehbega0efekyttdh828d5smorfeovk97606bww1axykhb1fpxze24mh826n15morpheusvk97606bww1axykhb1fpxze24mh826n15pipelinevk97606bww1axykhb1fpxze24mh826n15tiktokvk97606bww1axykhb1fpxze24mh826n15ugcvk97606bww1axykhb1fpxze24mh826n15veedvk97606bww1axykhb1fpxze24mh826n15
License
MIT-0
Free to use, modify, and redistribute. No attribution required.