Tilda Publisher
ReviewAudited by ClawScan on May 13, 2026.
Overview
This skill is coherent for publishing to Tilda, but it needs your Tilda password, installs Playwright, and can change public site content.
Install this only if you are comfortable letting the agent log into Tilda and publish or edit pages for you. Use a private workspace, protect the .env file, avoid committing credentials, and ask for a preview or final confirmation before publishing important content.
Publisher note
This skill uses Playwright (headless Chromium) to automate browser interactions with tilda.cc. Network access to tilda.cc is required for login and page publishing. No data is sent anywhere except to tilda.cc using the user's own credentials.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can log into your Tilda account and perform actions allowed by that account, including creating, editing, and publishing pages.
The skill requires direct Tilda account credentials, giving the agent access to the user's Tilda account for publishing operations.
requires:\n env:\n - name: TILDA_EMAIL\n description: Tilda account email\n - name: TILDA_PASSWORD\n description: Tilda account password
Use a dedicated or least-privileged Tilda account if possible, keep the workspace private, and rotate the password if you uninstall or no longer use the skill.
Your Tilda password may remain on disk and could be exposed if the workspace is shared, backed up, or committed to source control.
The onboarding code saves the user's Tilda email and password to a persistent .env file in the current workspace.
fs.writeFileSync(envPath, lines.join('\n') + '\n');Do not commit the .env file, restrict workspace access, and consider storing credentials through a secret manager instead of a plain workspace file.
Incorrect prompts, ambiguous project/page names, or unintended content could result in changes to a live Tilda site.
The skill gives the agent authority to perform end-to-end public publishing actions once invoked.
The agent will handle the rest — login, page creation, content, SEO, and publishing.
Give explicit project, page, title, and content instructions, and ask the agent to preview or confirm changes before publishing important pages.
Installing packages at runtime can introduce dependency or environment changes in the workspace.
The skill may install Playwright and Chromium at runtime from external package sources rather than through a pinned install specification.
execSync('npm install playwright', { stdio: 'inherit' });\nexecSync('npx playwright install chromium', { stdio: 'inherit' });Install Playwright from trusted package sources, preferably with pinned versions, and run the skill in a workspace where npm installs are acceptable.
A user may misunderstand how the password is used: it is stored locally and also used to log into Tilda.
The wording could be read too broadly, because the same SKILL.md also shows the password being submitted to tilda.cc during login; no unrelated destination is shown.
What is your Tilda account password?\n> ⚠️ It will be stored locally in the workspace .env file — never sent anywhere.
Treat the password as a real account credential, understand it will be submitted to Tilda for login, and prefer a dedicated account where possible.