ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Larry — Autonomous TikTok Slideshow Agent

v1.0.0

Automatically creates and schedules 6-slide TikTok slideshows with trending hooks and images linked to your affiliate articles using NVIDIA FLUX and Postiz.

0· 449·0 current·0 all-time
by@sonnenberglauramarie-afk
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description match the included code (image gen, overlay, Postiz upload, learning). However the registry metadata claims no required env/configs while the SKILL.md and code clearly require NVIDIA and Postiz credentials (and potentially an LLM CLI). larry.py also checks for an OpenAI API key even though research.py uses a 'claude' CLI — a clear mismatch between stated and actual requirements.
!
Instruction Scope
SKILL.md documents NVIDIA FLUX and Postiz, but it does not mention the 'claude' CLI dependency that research.py invokes via subprocess. The runtime instructions and code read/write local files (queue, logs) and will POST credentials to the configured Postiz endpoint and use the NVIDIA API key. The code writes/reads performance logs and used_topics files inside the skill directory and /tmp image files — expected for this app — but the omitted/incorrect dependency listing and the presence of real-looking credentials in the bundle expand the attack surface.
!
Install Mechanism
There is no install spec (instruction-only), which is low risk in general, but the distributed bundle includes a populated config.json and existing logs/queue files. Including a pre-filled config.json with credentials inside the skill archive is inappropriate and risky: it encourages accidental use of embedded secrets and leaks whoever committed them. No external download URLs were used, so code provenance is still unknown.
!
Credentials
The code expects sensitive values (nvidia_api_key, postiz_api_key, postiz_email, postiz_password) and will transmit them to endpoints (NVIDIA API and the configured postiz_base_url). The registry metadata incorrectly lists 'none' for required env vars/configs, and the bundled config.json contains cleartext credentials — both are disproportionate and inconsistent with safe publishing practice. The OpenAI API-key check in larry.py (and absence of OpenAI usage) is an additional unexplained credential expectation.
Persistence & Privilege
The skill is not marked always:true and uses standard local files (queue, logs) inside its directory and /tmp. It can be run autonomously (disable-model-invocation is false), which is the platform default; this increases blast radius if combined with other issues, but on its own is expected behavior.
What to consider before installing
Do not run this skill as-is. Specific recommendations: - Remove or replace the bundled config.json before installing; it contains cleartext credentials (nvidia_api_key, postiz_api_key, postiz_email, postiz_password) — treat them as compromised and rotate them if they are real. - Don't trust or publish skills that include populated config files or log files; the pack should provide only config.example.json with placeholders. - The SKILL.md omits a dependency: research.py calls an external 'claude' CLI. If you plan to run this, ensure you understand and trust that binary. larry.py also checks for an OpenAI API key despite not using OpenAI — ask the author why. - Confirm the postiz_base_url points to a Postiz instance you control (default is localhost). Running with an attacker-controlled endpoint would leak uploaded media and credentials. - Audit network traffic when first running (or run in an isolated environment) to see which endpoints receive credentials or uploads (NVIDIA endpoint, Postiz endpoint). - If you want the functionality, request a fixed-up release from the author: remove embedded secrets, correct metadata to list required credentials (NVIDIA key, Postiz email/password or API key, and the 'claude' dependency if required), document all runtime dependencies, and avoid shipping any logs or queues with real data. - If you already executed this bundle with the provided config.json credentials, treat those credentials as compromised and rotate/reset them immediately.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f0js08ghbpsncexs7x59rc5820yxt
449downloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0
@sonnenberglauramarie-afk
latest
Download

Larry — Autonomous TikTok Slideshow Agent

Automatically generates and posts TikTok slideshows for affiliate content sites. Inspired by the "Larry" viral slideshow format (8M views in one week).

What this skill does

  1. Research — Identifies viral hooks and trending topics in your niche
  2. Ideation — Creates 6-slide concepts linked to your affiliate articles
  3. Image Generation — Generates 6 consistent images via NVIDIA FLUX (free tier)
  4. Text Overlay — Adds hook text (Slide 1) + subtitles to each image
  5. Posting — Uploads as draft/scheduled post to TikTok via Postiz (self-hosted)
  6. Learning — Logs performance data, adapts hook formulas over time

Requirements

  • Postiz self-hosted (free) or Postiz cloud
  • NVIDIA API key (free tier at build.nvidia.com — includes FLUX image generation)
  • TikTok account(s) connected via Postiz

Setup

# 1. Copy and fill config
cp ~/.openclaw/skills/larry/config.example.json ~/.openclaw/skills/larry/config.json
# Edit config.json with your API keys and portal details

# 2. Install Python dependencies
pip3 install pillow requests

# 3. Smoke test (no API calls)
python3 ~/.openclaw/skills/larry/scripts/larry.py --portal my-portal --dry-run

Config

{
  "nvidia_api_key": "nvapi-...",
  "postiz_api_key": "...",
  "postiz_base_url": "http://localhost:4007/api",
  "image_model": "flux.1-schnell",
  "slides_per_post": 6,
  "posts_per_day": 2,
  "post_times": ["09:00", "18:00"],
  "portals": {
    "my-portal": {
      "tiktok_account_id": "POSTIZ_INTEGRATION_ID",
      "niche": "Your Niche (e.g. Sauna & Wellness)",
      "site_url": "https://yoursite.com",
      "amazon_tag": "yourtag-21",
      "style": "brief visual style description for image generation",
      "hashtags": ["#tag1", "#tag2", "#tag3"]
    }
  }
}

Usage

# Manual single post:
"Larry, create a TikTok post for [portal] about [topic]"

# Autonomous mode (via cron):
python3 ~/.openclaw/skills/larry/scripts/larry.py --portal my-portal --auto

# Dry run (generate slides, don't post):
python3 ~/.openclaw/skills/larry/scripts/larry.py --portal my-portal --dry-run

Slide Format (TikTok sweet spot)

  • 6 slides exactly
  • Slide 1: Large hook text + background image
  • Slides 2–5: Tips / facts / content
  • Slide 6: CTA → "Link in Bio" → article on your site
  • Caption: Story-style, natural mention of site, max 5 hashtags
  • Image style: realistic lifestyle photography look

Cost

  • Image generation: €0 (NVIDIA free tier, FLUX.1-schnell)
  • Postiz self-hosted: €0 (Docker, runs locally)
  • 2 posts/day × 30 days = €0/month running cost

Performance Tracking

All posts logged to ~/.openclaw/skills/larry/logs/performance.json. Larry adapts: high-performing hook formulas → more of those, poor ones → phased out.

Comments

Loading comments...