Morfeo Content Pipeline
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The user could submit content in a way intended to bypass safety controls, risking policy violations, unsafe outputs, or provider/account enforcement.
The skill explicitly tells the agent to use English to avoid Gemini moderation filters, which is an unsafe use of a provider tool rather than normal content-generation guidance.
"brief_text": "...", # en INGLÉS — evita filtros de moderación de Gemini en español
Remove moderation-evasion instructions and require provider safety checks and human review for generated content.
The pipeline may keep generating assets and drafts after initial use, consuming credits and changing connected content accounts.
The artifact describes persistent scheduled operation through PM2, but does not show stop, pause, approval, quota, or ownership controls.
**Frecuencia:** 4x/día — 11:00, 15:00, 19:00, 23:00 UTC **Proceso:** PM2 (`morfeo-content`)
Require explicit opt-in for scheduling, document how to stop/disable the PM2 process, and add per-run limits or approvals.
A connected Postiz or social account could receive unwanted draft content, and the user cannot tell from the artifacts which account or permissions are used.
Creating Postiz drafts implies delegated access to a social publishing workspace; the provided registry metadata declares no primary credential or env vars, so the account authority and scope are not visible.
Marca → Modelo → Hero Image → Multishot → Ver shots → Guión → VEED ×5 → ffmpeg → Postiz DRAFT
Declare the required Postiz credentials/configuration, scope them to a specific workspace, and require user confirmation before creating drafts.
The clean static scan does not validate the actual PM2 project, scripts, dependencies, or repository contents used by the pipeline.
The skill is instruction-only but relies on a local project and an external repository that are not included or pinned in the reviewed package.
**Proyecto:** `/home/ubuntu/clawd/projects/morfeo-content-engine/` **Repo marcas:** `https://github.com/PauldeLavallaz/marcas-argentinas`
Publish the runtime code/install spec with pinned dependencies or commits, and verify the local project before use.
Viewers or brand owners may perceive the drafts as misleading if the reveal is missed, removed, or insufficiently clear.
The content strategy intentionally imitates real brands before a final AI reveal; this is disclosed, but still creates audience-trust and brand-authorization risk.
Cada video simula contenido orgánico de una marca argentina real, con un plot twist final que revela que fue creado con IA por Morfeo Labs.
Use only authorized brands, keep the AI/Morfeo disclosure clear throughout the video, and require human review before publication.
Generated assets, prompts, and scripts may leave the local environment and be processed by third-party services.
The workflow sends images, scripts, and voice-generation requests through multiple external AI providers; that is expected for the purpose, but data handling and retention boundaries are not documented.
hacer descripción visual con Gemini ... PASO 7 — VEED UGC × 5 ... Voice IDs (ElevenLabs, argentino)
Confirm provider terms, credentials, and retention policies, and avoid sending private or unauthorized assets.