tiktok-app-marketing Security Report — Trusted | ClawSafe

5 /100

tiktok-app-marketing

TikTok + Instagram slideshow marketing automation for apps

A legitimate TikTok/Instagram marketing automation skill that makes standard API calls to OpenAI, Stability AI, Replicate, Upload-Post, and RevenueCat for image generation, social media posting, and analytics tracking.

Skill Nametiktok-app-marketing

Duration36.1s

Enginepi

✓

Safe to install

This skill is safe to use. Ensure API keys are stored securely and not committed to version control.

Findings 1 items

Severity	Finding	Location
Low	No package.json with pinned dependencies Supply Chain The skill has no package.json file. Scripts depend on built-in Node.js APIs (fs, path, fetch, Buffer, FormData) and require('canvas') for text overlays. No external npm dependencies are declared or pinned. `const fs = require('fs');` → Create a package.json with explicit dependencies and versions for production use	`scripts/generate-slides.js:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Standard file read/write for config, images, and reports
Network	`READ`	`READ`	✓ Aligned	API calls to legitimate services: OpenAI, Stability AI, Replicate, Upload-Post, …
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Environment	`NONE`	`NONE`	—	No environment variable access

2 Critical 18 findings

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(data.data[0].b64_json, 'base64'

scripts/generate-slides.js:83

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(data.artifacts[0].base64, 'base64'

scripts/generate-slides.js:107

🔗

Medium External URL 外部 URL

https://openclaw.ai

README.md:5

🔗

Medium External URL 外部 URL

https://upload-post.com

README.md:12

🔗

Medium External URL 外部 URL

https://clawhub.com

README.md:181

🔗

Medium External URL 外部 URL

https://upload-post.github.io/upload-post-larry-marketing-skill/

index.html:11

🔗

Medium External URL 外部 URL

http://www.w3.org/2000/svg

index.html:13

🔗

Medium External URL 外部 URL

https://api.upload-post.com/api/analytics/

references/analytics-loop.md:9

🔗

Medium External URL 外部 URL

https://api.upload-post.com/api/uploadposts/history?page=1&limit=50&profile_username=

references/analytics-loop.md:38

🔗

Medium External URL 外部 URL

https://www.tiktok.com/@user/video/7605531854921354518

references/analytics-loop.md:53

🔗

Medium External URL 外部 URL

https://api.upload-post.com/api/uploadposts/status?request_id=

references/analytics-loop.md:64

🔗

Medium External URL 外部 URL

https://tiktok.com/...

references/competitor-research.md:66

🔗

Medium External URL 外部 URL

https://api.revenuecat.com/v1/subscribers/

references/revenuecat-integration.md:27

🔗

Medium External URL 外部 URL

https://api.revenuecat.com/v2/projects/

references/revenuecat-integration.md:35

🔗

Medium External URL 外部 URL

https://api.upload-post.com/api

scripts/check-analytics.js:38

🔗

Medium External URL 外部 URL

https://api.revenuecat.com/v2

scripts/daily-report.js:71

🔗

Medium External URL 外部 URL

https://api.stability.ai/v1/generation/$

scripts/generate-slides.js:89

🔗

Medium External URL 外部 URL

https://api.replicate.com/v1/predictions

scripts/generate-slides.js:115

File Tree

16 files · 149.9 KB · 3808 lines

JavaScript 7f · 1646L Markdown 7f · 1571L HTML 1f · 586L JSON 1f · 5L

├─ ▾ 📁 references

│ ├─ 📝 analytics-loop.md Markdown 176L · 5.5 KB

│ ├─ 📝 app-categories.md Markdown 68L · 2.1 KB

│ ├─ 📝 competitor-research.md Markdown 101L · 3.6 KB

│ ├─ 📝 revenuecat-integration.md Markdown 123L · 3.6 KB

│ └─ 📝 slide-structure.md Markdown 111L · 4.2 KB

├─ ▾ 📁 scripts

│ ├─ 📜 add-text-overlay.js JavaScript 192L · 5.9 KB

│ ├─ 📜 check-analytics.js JavaScript 246L · 8.3 KB

│ ├─ 📜 competitor-research.js JavaScript 87L · 3.2 KB

│ ├─ 📜 daily-report.js JavaScript 529L · 20.5 KB

│ ├─ 📜 generate-slides.js JavaScript 231L · 8.5 KB

│ ├─ 📜 onboarding.js JavaScript 211L · 7.2 KB

│ └─ 📜 post-to-platforms.js JavaScript 150L · 4.8 KB

├─ 📋 _meta.json JSON 5L · 124 B

├─ 📄 index.html HTML 586L · 21.6 KB

├─ 📝 README.md Markdown 181L · 6.8 KB

└─ 📝 SKILL.md Markdown 811L · 43.9 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`node-canvas`	`not declared`	npm	No	Required for text overlays; user must install via npm install canvas per documentation
`fetch (built-in)`	`Node 18+`	built-in	No	Native fetch used for all API calls
`fs/path/Buffer (built-in)`	`Node standard library`	built-in	No	File operations and base64 handling

Security Positives

✓ No subprocess or shell execution — all operations use Node.js built-in APIs

✓ No credential harvesting — API keys stored in user-managed config.json only

✓ No data exfiltration — all network calls are to legitimate third-party APIs

✓ Base64 decoding in generate-slides.js is legitimate API response handling (OpenAI and Stability AI return images as base64)

✓ Comprehensive SKILL.md documents all capabilities and external service dependencies

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No obfuscation or anti-analysis techniques

✓ RevenueCat V2 secret key stays local and is not exfiltrated

Scan Report

Findings 1 items

File Tree

Dependencies 3 items

Security Positives