TikTok Content Pipeline

Automates TikTok carousel content creation, smart scheduling, publishing via Postiz API, and analytics-driven optimization for niche accounts.

This package generally does what it says (generate/schedule/post via Postiz), but several inconsistencies merit caution: - Metadata mismatch: The registry entry claims no required env vars/binaries, but SKILL.md and code require POSTIZ_API_KEY, a TikTok integration ID, Node.js, and the 'postiz' CLI. Treat the registry metadata as unreliable until corrected. - Before installing: inspect package.json and SETUP.md, and confirm postiz-cli's origin (npm page or official Postiz site). Native deps like canvas/sharp can require build tools—install in a controlled environment. - Secrets: Provide POSTIZ_API_KEY only via a secure environment variable or secret manager; do not commit API keys into repo config files. If you must store config files, add them to .gitignore as recommended. - Test safely: Use a throwaway/test TikTok account and test templates and 'auto-improve' in dry-run mode first to confirm behavior (the skill can auto-post and auto-modify account configs). - Audit packages: Run 'npm install' in an isolated environment, then 'npm audit' and review dependencies for native code or uncommon publishers. - Runtime autonomy: If you plan to enable autonomous invocation for an agent that has this skill, consider restricting that agent's scope or disabling auto-implement features to prevent unintended automated posting. If you want to proceed, ask the publisher or registry maintainer to correct the metadata (declare required env vars and required binaries/install steps) so you have an accurate inventory of what the skill will require.

Type: OpenClaw Skill Name: tiktok-content-pipeline Version: 1.0.4 The skill is classified as suspicious due to its extensive use of `child_process.execSync` for external CLI interaction (Postiz CLI) and dynamic module loading (`require`) based on user-controlled input (template names). While the code demonstrates a clear and consistent effort to mitigate shell injection and path traversal risks through robust input sanitization and a custom `_shellEscape` function in `cli.js`, `core/AnalyticsEngine.js`, and `core/Publisher.js`, these primitives inherently increase the attack surface for potential vulnerabilities. The 'auto-improve' and 'auto-post' features, while documented, grant significant control over account configurations and publishing, which could be abused if the underlying defenses were to fail. There is no evidence of intentional malicious behavior like data exfiltration or unauthorized persistence.