← 返回 Skills 市场
tiktok-carousel
作者
Otman Heddouch
· GitHub ↗
· v1.0.0
558
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install tikto-automation
功能描述
Generates a 6-slide TikTok carousel with images and text, creates a draft post via Postiz API, and outputs a caption for review and publishing.
安全使用建议
This skill's code appears to do what it claims (generate images/captions and optionally upload drafts to Postiz), but the registry metadata failing to declare required env vars (OPENAI_API_KEY and POSTIZ_API_KEY) is an inconsistency you should address before installing. Before use: 1) Verify the skill's provenance — ask the publisher for a homepage or repo and confirm you trust it. 2) Confirm the Postiz service (api.postiz.com) is legitimate and review its API docs; if uncertain, do not provide your production POSTIZ_API_KEY. 3) Use limited-scope or temporary API keys and avoid reusing high-privilege keys. 4) Run first in an isolated environment (VM/container) and monitor outbound network requests (or run under a local HTTP proxy) to observe what endpoints are contacted. 5) If you won't use Postiz, remove/disable postiz_api_integration.py or avoid running scripts/upload.py. 6) Request that the registry entry be updated to list OpenAI and Postiz credentials explicitly and provide a homepage/source for auditing — that would raise confidence from suspicious to benign.
功能分析
Type: OpenClaw Skill
Name: tikto-automation
Version: 1.0.0
The skill bundle is designed to generate images and upload them to an external service (Postiz), which requires file system and network access. While its core functionality aligns with the description, the `postiz_api_integration.py` and `scripts/upload.py` modules accept arbitrary file paths for upload, and `tiktok_content_gen.py` accepts arbitrary paths for local file writes. If an AI agent were to call these scripts with unsanitized user input, it could lead to arbitrary file upload or local file write vulnerabilities, allowing an attacker to potentially exfiltrate arbitrary files or overwrite system files. There is no clear evidence of intentional malicious behavior (e.g., hardcoded exfiltration of sensitive files, backdoors, or explicit prompt injection against the agent to perform harmful actions), but the broad file access capabilities without explicit input sanitization make it suspicious.
能力评估
Purpose & Capability
The skill's code implements exactly what the description says: generates images/captions and can upload media/create a TikTok draft via a Postiz client. However, the package registry metadata declares no required environment variables or primary credential, while the SKILL.md and code clearly require OPENAI_API_KEY to generate images (optional placeholder fallback) and POSTIZ_API_KEY (and optionally POSTIZ_API_URL) to upload/create drafts. That metadata omission is inconsistent with the declared purpose.
Instruction Scope
SKILL.md gives narrow, specific instructions (create venv, pip install -r requirements.txt, set OPENAI_API_KEY and POSTIZ_API_KEY, run scripts). The runtime code only reads those environment variables and operates on files in the images output folder. It does not attempt to read unrelated system files, credentials, or broad system state, nor does it send data to endpoints other than OpenAI (image generation) and Postiz (upload/default URL).
Install Mechanism
There is no install script that downloads arbitrary archives — the skill is delivered as Python source plus requirements.txt. Dependencies are standard (openai, requests, Pillow). No remote extract/install URLs or obscure package sources are used. This is lower risk than a remote binary download, but installing Python packages still pulls third-party code from PyPI.
Credentials
The code legitimately uses OPENAI_API_KEY and POSTIZ_API_KEY (and POSTIZ_API_URL). Requiring those API keys is proportionate to the stated tasks, but the registry metadata lists no required env vars or primary credential — an incoherence that could confuse users or hide the need to supply secrets. Also, POSTIZ_API_URL defaults to https://api.postiz.com/v1; the Postiz service and domain are not documented in the skill metadata, and the source/homepage is unknown, so you should verify the target API's trustworthiness before providing keys.
Persistence & Privilege
The skill does not request persistent or elevated privileges. 'always' is false, autonomous invocation is allowed (platform default), and the code does not modify other skills, system-wide agent settings, or write to global configs. It only writes generated images and a caption into the local output directory.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tikto-automation - 安装完成后,直接呼叫该 Skill 的名称或使用
/tikto-automation触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of the TikTok Carousel Generation Skill for automating the creation of 6-slide TikTok carousel posts.
- Generates portrait images with text overlays, a draft TikTok post (via Postiz API), and a ready-to-review caption.
- Supports input customization: topic/persona, slide count, style hints, and optional seeds.
- Includes Python scripts for content generation and draft uploading.
- Emphasizes security (API keys via environment variables) and cost-effectiveness (batching, low-res options).
- Refer to included README.md for setup and usage instructions.
元数据
常见问题
tiktok-carousel 是什么?
Generates a 6-slide TikTok carousel with images and text, creates a draft post via Postiz API, and outputs a caption for review and publishing. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 558 次。
如何安装 tiktok-carousel?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tikto-automation」即可一键安装,无需额外配置。
tiktok-carousel 是免费的吗?
是的,tiktok-carousel 完全免费(开源免费),可自由下载、安装和使用。
tiktok-carousel 支持哪些平台?
tiktok-carousel 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 tiktok-carousel?
由 Otman Heddouch(@otman-ai)开发并维护,当前版本 v1.0.0。
推荐 Skills