← Back to Skills Marketplace
TikTok Content Pipeline
by
Matt Tandy
· GitHub ↗
· v1.0.4
528
Downloads
0
Stars
1
Active Installs
5
Versions
Install in OpenClaw
/install tiktok-content-pipeline
Description
Automates TikTok carousel content creation, smart scheduling, publishing via Postiz API, and analytics-driven optimization for niche accounts.
Usage Guidance
This package generally does what it says (generate/schedule/post via Postiz), but several inconsistencies merit caution:
- Metadata mismatch: The registry entry claims no required env vars/binaries, but SKILL.md and code require POSTIZ_API_KEY, a TikTok integration ID, Node.js, and the 'postiz' CLI. Treat the registry metadata as unreliable until corrected.
- Before installing: inspect package.json and SETUP.md, and confirm postiz-cli's origin (npm page or official Postiz site). Native deps like canvas/sharp can require build tools—install in a controlled environment.
- Secrets: Provide POSTIZ_API_KEY only via a secure environment variable or secret manager; do not commit API keys into repo config files. If you must store config files, add them to .gitignore as recommended.
- Test safely: Use a throwaway/test TikTok account and test templates and 'auto-improve' in dry-run mode first to confirm behavior (the skill can auto-post and auto-modify account configs).
- Audit packages: Run 'npm install' in an isolated environment, then 'npm audit' and review dependencies for native code or uncommon publishers.
- Runtime autonomy: If you plan to enable autonomous invocation for an agent that has this skill, consider restricting that agent's scope or disabling auto-implement features to prevent unintended automated posting.
If you want to proceed, ask the publisher or registry maintainer to correct the metadata (declare required env vars and required binaries/install steps) so you have an accurate inventory of what the skill will require.
Capability Analysis
Type: OpenClaw Skill
Name: tiktok-content-pipeline
Version: 1.0.4
The skill is classified as suspicious due to its extensive use of `child_process.execSync` for external CLI interaction (Postiz CLI) and dynamic module loading (`require`) based on user-controlled input (template names). While the code demonstrates a clear and consistent effort to mitigate shell injection and path traversal risks through robust input sanitization and a custom `_shellEscape` function in `cli.js`, `core/AnalyticsEngine.js`, and `core/Publisher.js`, these primitives inherently increase the attack surface for potential vulnerabilities. The 'auto-improve' and 'auto-post' features, while documented, grant significant control over account configurations and publishing, which could be abused if the underlying defenses were to fail. There is no evidence of intentional malicious behavior like data exfiltration or unauthorized persistence.
Capability Assessment
Purpose & Capability
The SKILL.md and source clearly require a Postiz API key and a TikTok integration ID and rely on the external 'postiz' CLI and node dependencies (canvas/sharp/etc.). However the registry metadata lists no required env vars/credentials and claims no required binaries — an inconsistency. The credentials requested are appropriate for the stated purpose (publishing/analytics) but the packaging/metadata omission is a red flag.
Instruction Scope
Runtime instructions and code stay within the stated scope: generating carousel slides, scheduling, calling Postiz CLI for publishing and analytics, and writing data under accounts/ and output/. The skill can run external CLI commands via execSync to invoke Postiz; the code uses shell-escaping helpers before embedding user/config values into those commands. Note: the 'auto-improve' mode can modify account configs and auto-post — the doc correctly warns to test on a throwaway account.
Install Mechanism
Registry lists no install spec (marked as instruction-only) but the package includes full source and SETUP.md that requires 'npm install' and a global 'postiz-cli' installation; native dependencies (canvas, sharp) are declared and may require build toolchains. The absence of an explicit install spec in the registry combined with included code/files is inconsistent and increases risk because an installer might not automatically run required steps or might misrepresent what will be written/executed.
Credentials
The SKILL.md requires POSTIZ_API_KEY and a TikTok Integration ID (stored per-account config). Those credentials are proportional to the claimed functionality. However the registry metadata declares no required env vars or primary credential — a mismatch that could mislead users about what secrets the skill needs. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills' configs. It writes per-account files under its own directories and can auto-implement actions only within account configs. Autonomous invocation is enabled (platform default); combined with 'auto-improve' the skill could auto-post, so exercise caution when granting it runtime autonomy.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tiktok-content-pipeline - After installation, invoke the skill by name or use
/tiktok-content-pipeline - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.4
Final security pass: credential table in SKILL.md, env var priority for API keys, shell escaping on all AnalyticsEngine execSync calls
v1.0.3
Credential docs, env var support for POSTIZ_API_KEY, shell escaping on AnalyticsEngine execSync calls
v1.0.2
Security hardening (v1.0.2): Shell escaping applied to all execSync calls in AnalyticsEngine.js. Credential declaration added to SKILL.md (required credentials table, env var recommendation, security notes). Publisher and AnalyticsEngine now prefer POSTIZ_API_KEY env var over config file. Explicit security guidance for auto-improve mode and dependency auditing.
v1.0.1
Security fixes: path traversal guards on _loadGenerator, _getAccountDir, _copyDirectory (input validation + resolved path checks). Shell injection fix in Publisher.js (proper single-quote escaping for all execSync arguments). No more raw string interpolation in shell commands.
v1.0.0
Initial release: full TikTok content automation framework with carousel generation, Postiz publishing, smart scheduling, viral optimization, and analytics engine. Includes research-backed posting strategies for 2026.
Metadata
Frequently Asked Questions
What is TikTok Content Pipeline?
Automates TikTok carousel content creation, smart scheduling, publishing via Postiz API, and analytics-driven optimization for niche accounts. It is an AI Agent Skill for Claude Code / OpenClaw, with 528 downloads so far.
How do I install TikTok Content Pipeline?
Run "/install tiktok-content-pipeline" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is TikTok Content Pipeline free?
Yes, TikTok Content Pipeline is completely free (open-source). You can download, install and use it at no cost.
Which platforms does TikTok Content Pipeline support?
TikTok Content Pipeline is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created TikTok Content Pipeline?
It is built and maintained by Matt Tandy (@matttandy855); the current version is v1.0.4.
More Skills