tiktok-app-marketing Security Report — Trusted | ClawSafe

5 /100

tiktok-app-marketing

Automate TikTok slideshow marketing for any app or product. Researches competitors, generates AI images, adds text overlays, posts via Postiz, tracks analytics, and iterates on what works.

A legitimate TikTok marketing automation skill with no security issues — the base64 IOCs are standard API response decoding, all capabilities are documented, and no malicious or suspicious behavior was found.

Skill Nametiktok-app-marketing

Duration43.9s

Enginepi

✓

Safe to install

This skill is safe to use. The npm install shell:WRITE permission is declared in SKILL.md and is necessary for installing node-canvas. No action required.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: writes to tiktok-marketing/ and output directories
Network	`READ`	`READ`	✓ Aligned	SKILL.md: external APIs (OpenAI, Stability AI, Replicate, Postiz, RevenueCat)
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: 'npm install canvas' requires shell execution
Environment	`NONE`	`NONE`	—	No environment variable iteration or sensitive key harvesting
Skill Invoke	`NONE`	`NONE`	—	No undeclared skill invocations
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`READ`	`READ`	✓ Aligned	SKILL.md: browser used for competitor research on TikTok/App Store
Database	`NONE`	`NONE`	—	No database access

2 Critical 13 findings

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(data.data[0].b64_json, 'base64'

scripts/generate-slides.js:83

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(data.artifacts[0].base64, 'base64'

scripts/generate-slides.js:107

🔗

Medium External URL 外部 URL

https://postiz.pro/oliverhenry

SKILL.md:19

🔗

Medium External URL 外部 URL

https://api.postiz.com/public/v1/analytics/

references/analytics-loop.md:9

🔗

Medium External URL 外部 URL

https://api.postiz.com/public/v1/analytics/post/

references/analytics-loop.md:28

🔗

Medium External URL 外部 URL

https://api.postiz.com/public/v1/posts?startDate=

references/analytics-loop.md:44

🔗

Medium External URL 外部 URL

https://tiktok.com/...

references/competitor-research.md:66

🔗

Medium External URL 外部 URL

https://api.revenuecat.com/v1/subscribers/

references/revenuecat-integration.md:27

🔗

Medium External URL 外部 URL

https://api.revenuecat.com/v2/projects/

references/revenuecat-integration.md:35

🔗

Medium External URL 外部 URL

https://api.postiz.com/public/v1

scripts/check-analytics.js:46

🔗

Medium External URL 外部 URL

https://api.revenuecat.com/v2

scripts/daily-report.js:59

🔗

Medium External URL 外部 URL

https://api.stability.ai/v1/generation/$

scripts/generate-slides.js:89

🔗

Medium External URL 外部 URL

https://api.replicate.com/v1/predictions

scripts/generate-slides.js:115

File Tree

13 files · 126.4 KB · 3031 lines

JavaScript 7f · 1628L Markdown 6f · 1403L

├─ ▾ 📁 references

│ ├─ 📝 analytics-loop.md Markdown 151L · 5.3 KB

│ ├─ 📝 app-categories.md Markdown 68L · 2.1 KB

│ ├─ 📝 competitor-research.md Markdown 101L · 3.6 KB

│ ├─ 📝 revenuecat-integration.md Markdown 123L · 3.6 KB

│ └─ 📝 slide-structure.md Markdown 111L · 4.2 KB

├─ ▾ 📁 scripts

│ ├─ 📜 add-text-overlay.js JavaScript 192L · 5.9 KB

│ ├─ 📜 check-analytics.js JavaScript 227L · 9.1 KB

│ ├─ 📜 competitor-research.js JavaScript 87L · 3.2 KB

│ ├─ 📜 daily-report.js JavaScript 562L · 24.2 KB

│ ├─ 📜 generate-slides.js JavaScript 231L · 8.5 KB

│ ├─ 📜 onboarding.js JavaScript 213L · 7.1 KB

│ └─ 📜 post-to-tiktok.js JavaScript 116L · 3.4 KB

└─ 📝 SKILL.md Markdown 849L · 46.1 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`node-canvas`	`not bundled`	npm install (runtime)	No	Not included in skill; user must install at runtime via npm install canvas
`canvas`	`not bundled`	npm (peer dep)	No	Native module required for text overlay rendering

Security Positives

✓ No credential harvesting — API keys are only forwarded to their respective provider APIs and never exfiltrated

✓ No data exfiltration — all outbound traffic is to documented, legitimate third-party APIs (OpenAI, Stability AI, Replicate, Postiz, RevenueCat)

✓ All capabilities are clearly declared in SKILL.md with explanations

✓ The base64 IOC (Buffer.from) is standard and legitimate — it's how image generation APIs return binary image data

✓ No obfuscation, eval(), or hidden instructions anywhere in the codebase

✓ Filesystem access is scoped to a user-designated directory (tiktok-marketing/) and a temporary output directory

✓ Sensitive keys (Postiz API key, RevenueCat V2 secret) are stored in config.json which the user provides locally — not harvested

✓ The skill does not install dependencies beyond what the user approves (node-canvas via npm)

✓ No reverse shells, no C2 communication, no credential theft, no supply-chain risks

✓ The skill is a genuine marketing automation tool with a well-documented feedback loop architecture

Scan Report

File Tree

Dependencies 2 items

Security Positives