← Back to Skills Marketplace
mutonby

Viraloop

by mutonby · GitHub ↗ · v0.1.0 · MIT-0
cross-platform ⚠ suspicious
311
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install viraloop
Description
OpenClaw AI agent skill for automated TikTok and Instagram carousel growth. Analyzes any website URL to extract brand, competitors, value proposition, then g...
Usage Guidance
Summary of what to consider before installing and running this skill: - It does what it says (analyze a website, generate images via Gemini, and publish via Upload-Post), but there are several mismatches and risky defaults you should be aware of. - High-impact behavior: by default the skill is written to run the full pipeline without asking and to post directly to your feed (public) with auto music. If you do not want automatic live posting, do NOT run publish-carousel.sh with your real account token; edit the script to post to drafts or disable auto_add_music/privacy=PUBLIC_TO_EVERYONE. - Environment variables: the declared required vars omit UPLOADPOST_USER, but the scripts require it at runtime. Set UPLOADPOST_USER or modify scripts to make it truly optional. - Persistence: the skill keeps learnings.json in the skill directory (persisting across runs). If you prefer ephemeral data, change learn-from-analytics.js to write to /tmp or another approved path. - Command-safety: publish-carousel.sh constructs a curl command and runs it via eval including caption text. That is fragile and can be exploited if untrusted strings reach caption. Before using, sanitize/escape caption and other variables (or use a direct curl invocation with array args instead of eval). Also review any data that could come from websites (analyze-web.js) before it's sent to external APIs. - Scheduling/autonomy: SKILL.md asks the agent to auto-adjust cron/schedules but there is no code doing that; if you intend to have daily runs, implement scheduling externally (cron, task scheduler, or orchestration) rather than letting an agent modify schedules. Prefer manual approval or at least a confirmation step before first live publish. - Test safely: run the pipeline with dummy/test accounts and tokens first. Confirm image generation, captions, and publishing behavior. Verify what is sent to Gemini/Upload-Post and that nothing sensitive is being uploaded. - If you are not comfortable reviewing and tightening the scripts yourself, do not supply real account tokens. Consider using a sandbox or creating throwaway social accounts to evaluate behavior. If you want, I can: (a) list the exact lines you should change to disable auto-publishing / make UPLOADPOST_USER truly optional, (b) show how to harden the curl invocation to avoid eval-based injection, or (c) produce a checklist to safely test this skill in a sandboxed environment.
Capability Analysis
Type: OpenClaw Skill Name: viraloop Version: 0.1.0 The skill bundle contains a significant shell injection vulnerability in 'scripts/publish-carousel.sh' where website-derived content is executed via 'eval'. Additionally, 'SKILL.md' contains high-risk instructions directing the AI agent to operate with total autonomy, specifically forbidding it from asking for user confirmation and encouraging it to modify its own automation schedules. While these appear to be functional design choices for an 'autonomous growth engine' rather than intentional malware, the combination of shell injection risks and the lack of human-in-the-loop oversight makes the bundle highly susceptible to prompt-injection attacks from malicious websites.
Capability Assessment
Purpose & Capability
Name/description match the code: the scripts analyze websites, generate images via Gemini, and publish via Upload-Post. Required binaries (node, jq, uv) and env vars (GEMINI_API_KEY, UPLOADPOST_TOKEN) are expected for image gen and publishing. However there are mismatches: README/_meta claim learnings are stored in /tmp/carousel/, but learn-from-analytics.js writes learnings.json into the skill directory (persistent). README marks UPLOADPOST_USER as optional, but several scripts (check-analytics.sh, publish-carousel.sh) treat UPLOADPOST_USER as required and will exit if it's not set. SKILL.md promises the agent will 'automatically adjust its own cron/automation schedule' then run daily — no code in the repo implements scheduling or cron modification. These inconsistencies reduce internal coherence.
Instruction Scope
The SKILL.md instructs fully autonomous runs without confirmation and to auto-adjust scheduling; the code will post directly to feeds (publish-carousel.sh uses privacy PUBLIC_TO_EVERYONE and auto_add_music=true). The runtime steps read and write local analysis and learning files and send content (prompts, images, captions) to external services (Gemini and Upload-Post) — appropriate for the stated goal. Concerns: (1) several scripts require UPLOADPOST_USER though registry metadata omitted it; (2) the agent is explicitly instructed not to ask the user for confirmation before publishing — that is high-impact behavior and not proportional for many users; (3) analyze-web.js scrapes many page elements (headings, testimonials, pricing) and that scraped text is fed to the image API and publishing pipeline — this could inadvertently transmit sensitive text found on public pages; (4) publish-carousel.sh constructs and evals a curl command string including caption text without robust escaping, which creates a command-injection/exfiltration risk if captions contain unexpected characters or attacker-controlled content.
Install Mechanism
No install spec (instruction-only) is present; that lowers install-time risk since nothing is downloaded during install. Code files are bundled in the skill package and executed at runtime. Playwright will need to be installed separately (not auto-installed here) which is expected for website scraping.
Credentials
Declared required env vars (GEMINI_API_KEY and UPLOADPOST_TOKEN) are appropriate. However: (1) scripts also require UPLOADPOST_USER at runtime (they will exit if missing) even though metadata/README mark it optional — that's a discrepancy; (2) learn-from-analytics.js writes learnings.json into the skill directory (persistent storage) which is not declared in README/_meta as the canonical location; (3) the skill asks the agent to run autonomously and post publicly using the provided credentials — that is powerful and should be proportional to the user's intent. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not marked always:true (good). But the SKILL.md instructs the agent to run daily and to 'automatically adjust its own cron/automation schedule' — that indicates the skill expects to modify scheduler/automation settings. There is no implementation for scheduling in the codebase, but the instruction grants broad autonomy to alter agent scheduling; combined with direct-to-feed publishing it increases blast radius. The skill persists a learnings.json in the skill directory (not just /tmp), giving it ongoing state across runs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install viraloop
  3. After installation, invoke the skill by name or use /viraloop
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
viraloop 0.1.0 – Initial Release - Launches an autonomous pipeline for daily TikTok & Instagram carousel posting. - Analyzes any website URL for brand, competitors, value proposition; generates 6-slide carousels with visual coherence. - Publishes directly to TikTok and Instagram with trending music, using upload-post.com API. - Integrates analytics via a feedback loop (learnings.json) to improve hooks, timing, and visuals over time. - Includes full guidance on account warmup and execution philosophy for maximizing reach. - Requires Gemini and upload-post.com free API keys for automated research, image generation, posting, and feedback.
Metadata
Slug viraloop
Version 0.1.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Viraloop?

OpenClaw AI agent skill for automated TikTok and Instagram carousel growth. Analyzes any website URL to extract brand, competitors, value proposition, then g... It is an AI Agent Skill for Claude Code / OpenClaw, with 311 downloads so far.

How do I install Viraloop?

Run "/install viraloop" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Viraloop free?

Yes, Viraloop is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Viraloop support?

Viraloop is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Viraloop?

It is built and maintained by mutonby (@mutonby); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments