← 返回 Skills 市场

Larry — Autonomous TikTok Slideshow Agent

Name: Larry — Autonomous TikTok Slideshow Agent
Author: sonnenberglauramarie-afk

作者 sonnenberglauramarie-afk · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

488

总下载

当前安装

版本数

在 OpenClaw 中安装

/install larry-tiktok-agent

功能描述

Automatically creates and schedules 6-slide TikTok slideshows with trending hooks and images linked to your affiliate articles using NVIDIA FLUX and Postiz.

使用说明 (SKILL.md)

Larry — Autonomous TikTok Slideshow Agent

Automatically generates and posts TikTok slideshows for affiliate content sites. Inspired by the "Larry" viral slideshow format (8M views in one week).

What this skill does

Research — Identifies viral hooks and trending topics in your niche
Ideation — Creates 6-slide concepts linked to your affiliate articles
Image Generation — Generates 6 consistent images via NVIDIA FLUX (free tier)
Text Overlay — Adds hook text (Slide 1) + subtitles to each image
Posting — Uploads as draft/scheduled post to TikTok via Postiz (self-hosted)
Learning — Logs performance data, adapts hook formulas over time

Requirements

Postiz self-hosted (free) or Postiz cloud
NVIDIA API key (free tier at build.nvidia.com — includes FLUX image generation)
TikTok account(s) connected via Postiz

Setup

# 1. Copy and fill config
cp ~/.openclaw/skills/larry/config.example.json ~/.openclaw/skills/larry/config.json
# Edit config.json with your API keys and portal details

# 2. Install Python dependencies
pip3 install pillow requests

# 3. Smoke test (no API calls)
python3 ~/.openclaw/skills/larry/scripts/larry.py --portal my-portal --dry-run

Config

{
  "nvidia_api_key": "nvapi-...",
  "postiz_api_key": "...",
  "postiz_base_url": "http://localhost:4007/api",
  "image_model": "flux.1-schnell",
  "slides_per_post": 6,
  "posts_per_day": 2,
  "post_times": ["09:00", "18:00"],
  "portals": {
    "my-portal": {
      "tiktok_account_id": "POSTIZ_INTEGRATION_ID",
      "niche": "Your Niche (e.g. Sauna & Wellness)",
      "site_url": "https://yoursite.com",
      "amazon_tag": "yourtag-21",
      "style": "brief visual style description for image generation",
      "hashtags": ["#tag1", "#tag2", "#tag3"]
    }
  }
}

Usage

# Manual single post:
"Larry, create a TikTok post for [portal] about [topic]"

# Autonomous mode (via cron):
python3 ~/.openclaw/skills/larry/scripts/larry.py --portal my-portal --auto

# Dry run (generate slides, don't post):
python3 ~/.openclaw/skills/larry/scripts/larry.py --portal my-portal --dry-run

Slide Format (TikTok sweet spot)

6 slides exactly
Slide 1: Large hook text + background image
Slides 2–5: Tips / facts / content
Slide 6: CTA → "Link in Bio" → article on your site
Caption: Story-style, natural mention of site, max 5 hashtags
Image style: realistic lifestyle photography look

Cost

Image generation: €0 (NVIDIA free tier, FLUX.1-schnell)
Postiz self-hosted: €0 (Docker, runs locally)
2 posts/day × 30 days = €0/month running cost

Performance Tracking

All posts logged to ~/.openclaw/skills/larry/logs/performance.json. Larry adapts: high-performing hook formulas → more of those, poor ones → phased out.

安全使用建议

Do not run this skill as-is. Specific recommendations: - Remove or replace the bundled config.json before installing; it contains cleartext credentials (nvidia_api_key, postiz_api_key, postiz_email, postiz_password) — treat them as compromised and rotate them if they are real. - Don't trust or publish skills that include populated config files or log files; the pack should provide only config.example.json with placeholders. - The SKILL.md omits a dependency: research.py calls an external 'claude' CLI. If you plan to run this, ensure you understand and trust that binary. larry.py also checks for an OpenAI API key despite not using OpenAI — ask the author why. - Confirm the postiz_base_url points to a Postiz instance you control (default is localhost). Running with an attacker-controlled endpoint would leak uploaded media and credentials. - Audit network traffic when first running (or run in an isolated environment) to see which endpoints receive credentials or uploads (NVIDIA endpoint, Postiz endpoint). - If you want the functionality, request a fixed-up release from the author: remove embedded secrets, correct metadata to list required credentials (NVIDIA key, Postiz email/password or API key, and the 'claude' dependency if required), document all runtime dependencies, and avoid shipping any logs or queues with real data. - If you already executed this bundle with the provided config.json credentials, treat those credentials as compromised and rotate/reset them immediately.

功能分析

Type: OpenClaw Skill Name: larry-tiktok-agent Version: 1.0.0 The skill is classified as suspicious primarily due to the storage of sensitive credentials in plain text within `config.json`. Specifically, `postiz_email` and `postiz_password` are stored unencrypted, which is a significant security vulnerability. While the skill uses these credentials for its stated purpose (interacting with the Postiz API) and does not exhibit intentional malicious behavior like exfiltration to unauthorized endpoints, this insecure storage method makes the credentials vulnerable to compromise if the host system is breached. Additionally, the `research.py` script executes an external `claude` CLI tool via `subprocess.run`, introducing a dependency risk, though the argument passing method mitigates direct shell injection from the prompt string itself.

能力评估

⚠ Purpose & Capability

The skill's name/description match the included code (image gen, overlay, Postiz upload, learning). However the registry metadata claims no required env/configs while the SKILL.md and code clearly require NVIDIA and Postiz credentials (and potentially an LLM CLI). larry.py also checks for an OpenAI API key even though research.py uses a 'claude' CLI — a clear mismatch between stated and actual requirements.

⚠ Instruction Scope

SKILL.md documents NVIDIA FLUX and Postiz, but it does not mention the 'claude' CLI dependency that research.py invokes via subprocess. The runtime instructions and code read/write local files (queue, logs) and will POST credentials to the configured Postiz endpoint and use the NVIDIA API key. The code writes/reads performance logs and used_topics files inside the skill directory and /tmp image files — expected for this app — but the omitted/incorrect dependency listing and the presence of real-looking credentials in the bundle expand the attack surface.

⚠ Install Mechanism

There is no install spec (instruction-only), which is low risk in general, but the distributed bundle includes a populated config.json and existing logs/queue files. Including a pre-filled config.json with credentials inside the skill archive is inappropriate and risky: it encourages accidental use of embedded secrets and leaks whoever committed them. No external download URLs were used, so code provenance is still unknown.

⚠ Credentials

The code expects sensitive values (nvidia_api_key, postiz_api_key, postiz_email, postiz_password) and will transmit them to endpoints (NVIDIA API and the configured postiz_base_url). The registry metadata incorrectly lists 'none' for required env vars/configs, and the bundled config.json contains cleartext credentials — both are disproportionate and inconsistent with safe publishing practice. The OpenAI API-key check in larry.py (and absence of OpenAI usage) is an additional unexplained credential expectation.

ℹ Persistence & Privilege

The skill is not marked always:true and uses standard local files (queue, logs) inside its directory and /tmp. It can be run autonomously (disable-model-invocation is false), which is the platform default; this increases blast radius if combined with other issues, but on its own is expected behavior.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install larry-tiktok-agent
安装完成后，直接呼叫该 Skill 的名称或使用 /larry-tiktok-agent 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release: NVIDIA FLUX image generation, Postiz scheduling, multi-portal affiliate support

元数据

Slug larry-tiktok-agent

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题