Morfeo Content Pipeline
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: morfeo-content-pipeline Version: 2.0.0 The skill bundle defines an autonomous content generation pipeline for TikTok videos, specifically tailored for 'Morfeo Labs'. It orchestrates a multi-step workflow involving image generation via ComfyDeploy, scriptwriting using Gemini 2.5 Pro with specific Argentine cultural nuances, and video synthesis using VEED and ffmpeg. The instructions in SKILL.md are highly detailed and include robust error handling, such as file size validation and retry logic, as well as safety measures like posting content as drafts. No indicators of data exfiltration, malicious shell execution, or unauthorized access were found; the capabilities described (file system access, network calls to AI APIs, and media processing) are strictly aligned with the stated purpose of the pipeline.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The user could submit content in a way intended to bypass safety controls, risking policy violations, unsafe outputs, or provider/account enforcement.
The skill explicitly tells the agent to use English to avoid Gemini moderation filters, which is an unsafe use of a provider tool rather than normal content-generation guidance.
"brief_text": "...", # en INGLÉS — evita filtros de moderación de Gemini en español
Remove moderation-evasion instructions and require provider safety checks and human review for generated content.
The pipeline may keep generating assets and drafts after initial use, consuming credits and changing connected content accounts.
The artifact describes persistent scheduled operation through PM2, but does not show stop, pause, approval, quota, or ownership controls.
**Frecuencia:** 4x/día — 11:00, 15:00, 19:00, 23:00 UTC **Proceso:** PM2 (`morfeo-content`)
Require explicit opt-in for scheduling, document how to stop/disable the PM2 process, and add per-run limits or approvals.
A connected Postiz or social account could receive unwanted draft content, and the user cannot tell from the artifacts which account or permissions are used.
Creating Postiz drafts implies delegated access to a social publishing workspace; the provided registry metadata declares no primary credential or env vars, so the account authority and scope are not visible.
Marca → Modelo → Hero Image → Multishot → Ver shots → Guión → VEED ×5 → ffmpeg → Postiz DRAFT
Declare the required Postiz credentials/configuration, scope them to a specific workspace, and require user confirmation before creating drafts.
The clean static scan does not validate the actual PM2 project, scripts, dependencies, or repository contents used by the pipeline.
The skill is instruction-only but relies on a local project and an external repository that are not included or pinned in the reviewed package.
**Proyecto:** `/home/ubuntu/clawd/projects/morfeo-content-engine/` **Repo marcas:** `https://github.com/PauldeLavallaz/marcas-argentinas`
Publish the runtime code/install spec with pinned dependencies or commits, and verify the local project before use.
Viewers or brand owners may perceive the drafts as misleading if the reveal is missed, removed, or insufficiently clear.
The content strategy intentionally imitates real brands before a final AI reveal; this is disclosed, but still creates audience-trust and brand-authorization risk.
Cada video simula contenido orgánico de una marca argentina real, con un plot twist final que revela que fue creado con IA por Morfeo Labs.
Use only authorized brands, keep the AI/Morfeo disclosure clear throughout the video, and require human review before publication.
Generated assets, prompts, and scripts may leave the local environment and be processed by third-party services.
The workflow sends images, scripts, and voice-generation requests through multiple external AI providers; that is expected for the purpose, but data handling and retention boundaries are not documented.
hacer descripción visual con Gemini ... PASO 7 — VEED UGC × 5 ... Voice IDs (ElevenLabs, argentino)
Confirm provider terms, credentials, and retention policies, and avoid sending private or unauthorized assets.