tiktok-app-marketing 安全扫描报告 — 可信 | ClawSafe

5 /100

tiktok-app-marketing

TikTok + Instagram slideshow marketing automation for apps

A legitimate TikTok/Instagram marketing automation skill that makes standard API calls to OpenAI, Stability AI, Replicate, Upload-Post, and RevenueCat for image generation, social media posting, and analytics tracking.

技能名称tiktok-app-marketing

分析耗时36.1s

引擎pi

✓

可以安装

This skill is safe to use. Ensure API keys are stored securely and not committed to version control.

安全发现 1 项

严重性	安全发现	位置
低危	No package.json with pinned dependencies 供应链 The skill has no package.json file. Scripts depend on built-in Node.js APIs (fs, path, fetch, Buffer, FormData) and require('canvas') for text overlays. No external npm dependencies are declared or pinned. `const fs = require('fs');` → Create a package.json with explicit dependencies and versions for production use	`scripts/generate-slides.js:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	Standard file read/write for config, images, and reports
网络访问	`READ`	`READ`	✓ 一致	API calls to legitimate services: OpenAI, Stability AI, Replicate, Upload-Post, …
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
环境变量	`NONE`	`NONE`	—	No environment variable access

2 严重 18 项发现

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(data.data[0].b64_json, 'base64'

scripts/generate-slides.js:83

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(data.artifacts[0].base64, 'base64'

scripts/generate-slides.js:107

🔗

中危外部 URL 外部 URL

https://openclaw.ai

README.md:5

🔗

中危外部 URL 外部 URL

https://upload-post.com

README.md:12

🔗

中危外部 URL 外部 URL

https://clawhub.com

README.md:181

🔗

中危外部 URL 外部 URL

https://upload-post.github.io/upload-post-larry-marketing-skill/

index.html:11

🔗

中危外部 URL 外部 URL

http://www.w3.org/2000/svg

index.html:13

🔗

中危外部 URL 外部 URL

https://api.upload-post.com/api/analytics/

references/analytics-loop.md:9

🔗

中危外部 URL 外部 URL

https://api.upload-post.com/api/uploadposts/history?page=1&limit=50&profile_username=

references/analytics-loop.md:38

🔗

中危外部 URL 外部 URL

https://www.tiktok.com/@user/video/7605531854921354518

references/analytics-loop.md:53

🔗

中危外部 URL 外部 URL

https://api.upload-post.com/api/uploadposts/status?request_id=

references/analytics-loop.md:64

🔗

中危外部 URL 外部 URL

https://tiktok.com/...

references/competitor-research.md:66

🔗

中危外部 URL 外部 URL

https://api.revenuecat.com/v1/subscribers/

references/revenuecat-integration.md:27

🔗

中危外部 URL 外部 URL

https://api.revenuecat.com/v2/projects/

references/revenuecat-integration.md:35

🔗

中危外部 URL 外部 URL

https://api.upload-post.com/api

scripts/check-analytics.js:38

🔗

中危外部 URL 外部 URL

https://api.revenuecat.com/v2

scripts/daily-report.js:71

🔗

中危外部 URL 外部 URL

https://api.stability.ai/v1/generation/$

scripts/generate-slides.js:89

🔗

中危外部 URL 外部 URL

https://api.replicate.com/v1/predictions

scripts/generate-slides.js:115

目录结构

16 文件 · 149.9 KB · 3808 行

JavaScript 7f · 1646L Markdown 7f · 1571L HTML 1f · 586L JSON 1f · 5L

├─ ▾ 📁 references

│ ├─ 📝 analytics-loop.md Markdown 176L · 5.5 KB

│ ├─ 📝 app-categories.md Markdown 68L · 2.1 KB

│ ├─ 📝 competitor-research.md Markdown 101L · 3.6 KB

│ ├─ 📝 revenuecat-integration.md Markdown 123L · 3.6 KB

│ └─ 📝 slide-structure.md Markdown 111L · 4.2 KB

├─ ▾ 📁 scripts

│ ├─ 📜 add-text-overlay.js JavaScript 192L · 5.9 KB

│ ├─ 📜 check-analytics.js JavaScript 246L · 8.3 KB

│ ├─ 📜 competitor-research.js JavaScript 87L · 3.2 KB

│ ├─ 📜 daily-report.js JavaScript 529L · 20.5 KB

│ ├─ 📜 generate-slides.js JavaScript 231L · 8.5 KB

│ ├─ 📜 onboarding.js JavaScript 211L · 7.2 KB

│ └─ 📜 post-to-platforms.js JavaScript 150L · 4.8 KB

├─ 📋 _meta.json JSON 5L · 124 B

├─ 📄 index.html HTML 586L · 21.6 KB

├─ 📝 README.md Markdown 181L · 6.8 KB

└─ 📝 SKILL.md Markdown 811L · 43.9 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`node-canvas`	`not declared`	npm	否	Required for text overlays; user must install via npm install canvas per documentation
`fetch (built-in)`	`Node 18+`	built-in	否	Native fetch used for all API calls
`fs/path/Buffer (built-in)`	`Node standard library`	built-in	否	File operations and base64 handling

安全亮点

✓ No subprocess or shell execution — all operations use Node.js built-in APIs

✓ No credential harvesting — API keys stored in user-managed config.json only

✓ No data exfiltration — all network calls are to legitimate third-party APIs

✓ Base64 decoding in generate-slides.js is legitimate API response handling (OpenAI and Stability AI return images as base64)

✓ Comprehensive SKILL.md documents all capabilities and external service dependencies

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No obfuscation or anti-analysis techniques

✓ RevenueCat V2 secret key stays local and is not exfiltrated