AI UGC
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad request could result in content being scheduled or published to connected social accounts.
The skill documents API operations that can schedule or immediately publish social posts, including public TikTok visibility. This is aligned with the stated purpose, but it is a high-impact action users should explicitly review.
POST /social/posts ... `mode` (required: `schedule`|`draft`|`now`) ... `tiktokPrivacyLevel`? (`SELF_ONLY`|`PUBLIC_TO_EVERYONE`...) ... POST /social/posts/{postId}/publish Immediately publish a draft.Before publishing or scheduling, confirm the account IDs, content, privacy level, timing, and whether the action should be a draft instead of immediate publication.
Anyone or any agent with access to this environment variable may be able to use the connected RawUGC account capabilities.
The skill uses a bearer API key to access RawUGC. This is expected for the integration and includes appropriate secret-handling guidance, but the key may authorize account-level actions.
Read the API key from `RAWUGC_API_KEY` ... Send on every request: `Authorization: Bearer <value of RAWUGC_API_KEY>` ... must be kept secret; do not hardcode or log it.
Use a dedicated RawUGC key if possible, store it securely, avoid sharing logs that may contain headers, and revoke or rotate the key if it is no longer needed.
Uploaded images or videos may become available through a public URL and could be reused in generation requests.
The upload endpoint sends user-selected media to RawUGC and returns a public URL. This is disclosed and purpose-aligned, but it matters for sensitive or private files.
POST /upload ... field `file` ... Max 100MB. Response 200: `url` (public URL for use in generation requests)
Only upload files intended for RawUGC processing and avoid uploading private, confidential, or third-party content unless the user has approved that sharing.