tiktok-app-marketing 安全扫描报告 — 可信 | ClawSafe

5 /100

tiktok-app-marketing

Automate TikTok slideshow marketing for any app or product. Researches competitors, generates AI images, adds text overlays, posts via Postiz, tracks analytics, and iterates on what works.

A legitimate TikTok marketing automation skill with no security issues — the base64 IOCs are standard API response decoding, all capabilities are documented, and no malicious or suspicious behavior was found.

技能名称tiktok-app-marketing

分析耗时43.9s

引擎pi

✓

可以安装

This skill is safe to use. The npm install shell:WRITE permission is declared in SKILL.md and is necessary for installing node-canvas. No action required.

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md: writes to tiktok-marketing/ and output directories
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: external APIs (OpenAI, Stability AI, Replicate, Postiz, RevenueCat)
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md: 'npm install canvas' requires shell execution
环境变量	`NONE`	`NONE`	—	No environment variable iteration or sensitive key harvesting
技能调用	`NONE`	`NONE`	—	No undeclared skill invocations
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`READ`	`READ`	✓ 一致	SKILL.md: browser used for competitor research on TikTok/App Store
数据库	`NONE`	`NONE`	—	No database access

2 严重 13 项发现

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(data.data[0].b64_json, 'base64'

scripts/generate-slides.js:83

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(data.artifacts[0].base64, 'base64'

scripts/generate-slides.js:107

🔗

中危外部 URL 外部 URL

https://postiz.pro/oliverhenry

SKILL.md:19

🔗

中危外部 URL 外部 URL

https://api.postiz.com/public/v1/analytics/

references/analytics-loop.md:9

🔗

中危外部 URL 外部 URL

https://api.postiz.com/public/v1/analytics/post/

references/analytics-loop.md:28

🔗

中危外部 URL 外部 URL

https://api.postiz.com/public/v1/posts?startDate=

references/analytics-loop.md:44

🔗

中危外部 URL 外部 URL

https://tiktok.com/...

references/competitor-research.md:66

🔗

中危外部 URL 外部 URL

https://api.revenuecat.com/v1/subscribers/

references/revenuecat-integration.md:27

🔗

中危外部 URL 外部 URL

https://api.revenuecat.com/v2/projects/

references/revenuecat-integration.md:35

🔗

中危外部 URL 外部 URL

https://api.postiz.com/public/v1

scripts/check-analytics.js:46

🔗

中危外部 URL 外部 URL

https://api.revenuecat.com/v2

scripts/daily-report.js:59

🔗

中危外部 URL 外部 URL

https://api.stability.ai/v1/generation/$

scripts/generate-slides.js:89

🔗

中危外部 URL 外部 URL

https://api.replicate.com/v1/predictions

scripts/generate-slides.js:115

目录结构

13 文件 · 126.4 KB · 3031 行

JavaScript 7f · 1628L Markdown 6f · 1403L

├─ ▾ 📁 references

│ ├─ 📝 analytics-loop.md Markdown 151L · 5.3 KB

│ ├─ 📝 app-categories.md Markdown 68L · 2.1 KB

│ ├─ 📝 competitor-research.md Markdown 101L · 3.6 KB

│ ├─ 📝 revenuecat-integration.md Markdown 123L · 3.6 KB

│ └─ 📝 slide-structure.md Markdown 111L · 4.2 KB

├─ ▾ 📁 scripts

│ ├─ 📜 add-text-overlay.js JavaScript 192L · 5.9 KB

│ ├─ 📜 check-analytics.js JavaScript 227L · 9.1 KB

│ ├─ 📜 competitor-research.js JavaScript 87L · 3.2 KB

│ ├─ 📜 daily-report.js JavaScript 562L · 24.2 KB

│ ├─ 📜 generate-slides.js JavaScript 231L · 8.5 KB

│ ├─ 📜 onboarding.js JavaScript 213L · 7.1 KB

│ └─ 📜 post-to-tiktok.js JavaScript 116L · 3.4 KB

└─ 📝 SKILL.md Markdown 849L · 46.1 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`node-canvas`	`not bundled`	npm install (runtime)	否	Not included in skill; user must install at runtime via npm install canvas
`canvas`	`not bundled`	npm (peer dep)	否	Native module required for text overlay rendering

安全亮点

✓ No credential harvesting — API keys are only forwarded to their respective provider APIs and never exfiltrated

✓ No data exfiltration — all outbound traffic is to documented, legitimate third-party APIs (OpenAI, Stability AI, Replicate, Postiz, RevenueCat)

✓ All capabilities are clearly declared in SKILL.md with explanations

✓ The base64 IOC (Buffer.from) is standard and legitimate — it's how image generation APIs return binary image data

✓ No obfuscation, eval(), or hidden instructions anywhere in the codebase

✓ Filesystem access is scoped to a user-designated directory (tiktok-marketing/) and a temporary output directory

✓ Sensitive keys (Postiz API key, RevenueCat V2 secret) are stored in config.json which the user provides locally — not harvested

✓ The skill does not install dependencies beyond what the user approves (node-canvas via npm)

✓ No reverse shells, no C2 communication, no credential theft, no supply-chain risks

✓ The skill is a genuine marketing automation tool with a well-documented feedback loop architecture