Skill Tiktok Video Pipeline
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its video-generation purpose, but it has unsafe shell/path handling and under-declared external script dependencies that should be reviewed before use.
Use this only in a trusted or sandboxed workspace until the shell execution and path handling are fixed. Do not pass untrusted product IDs, script text, prompts, model names, logo paths, or audio paths. Also verify any referenced external video-generation/overlay skills before running the Python pipeline, and set the Gemini API key only if you understand the provider usage and cost.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or untrusted product prompt, script text, model name, or related argument could cause local commands to run with the user's permissions.
The script constructs shell command strings from CLI-controlled values and runs them through bash. JSON.stringify is not shell-safe quoting, and opts.veoModel is not quoted at all, so crafted values could trigger shell execution.
'--model', opts.veoModel, ... '--captions', JSON.stringify(opts.scriptText), ... return spawnSync('bash', ['-lc', cmd], {Replace bash -lc string execution with spawnSync/subprocess argument arrays, validate model/language values against allowlists, and use a proper shell-escaping library only if a shell is unavoidable.
A crafted product identifier containing path traversal sequences could make the pipeline write outside the intended output/tiktok directory or create/remove unexpected temporary paths.
The required productId is used directly in filesystem paths and a recursive cleanup path without sanitizing path separators or enforcing that resolved paths stay under OUTPUT_DIR.
const tmpDir = path.join(OUTPUT_DIR, `.tmp_${opts.productId}_${Date.now()}`); ... const finalPath = path.join(OUTPUT_DIR, `${opts.productId}_${opts.lang}_final.mp4`); ... fs.rmSync(tmpDir, { recursive: true, force: true });Restrict product identifiers to safe filename characters, resolve paths and verify they remain under the intended output directory, and avoid recursive deletion on paths influenced by user input.
Using the Python pipeline may execute whatever code exists at those external paths, with its own network, credential, and file behavior outside this review.
The Python pipeline runs external local scripts that are not included in this skill's manifest and are not fully declared in the registry requirements or SKILL.md dependency list.
RUNWAY_SCRIPT = os.path.join(SKILLS_BASE, "skill-runway-video-gen", "scripts", "generate_video.py") ... OVERLAY_SCRIPT = os.path.join(SKILLS_BASE, "skill-tiktok-ads-video", "scripts", "overlay.py") ... subprocess.run(cmd, check=True)
Declare all required external skills and exact paths, include or pin reviewed versions, verify script identity before execution, and align SKILL.md with the code actually being run.
Users may not realize the skill needs an external API key and may incur provider API usage or billing through the video-generation step.
The skill requires a provider API key for Veo generation, while the registry metadata lists no required environment variables or primary credential. This is purpose-aligned but under-declared.
- `GEMINI_API_KEY` env var (for Veo generation)
Declare GEMINI_API_KEY in the registry metadata and clearly document what service receives prompts or media and what costs or permissions may apply.