TikTok Carousel Creator (Multi-Account Google Drive Support)

Name/description claim: search Pexels, render overlays, upload via PostBridge. Declared requirements list only PEXELS_API_KEY and binaries (ffmpeg, curl), which is plausible for search+render. However the SKILL.md and code clearly expect additional credentials (POST_BRIDGE_API_KEY, optional IMGBB_API_KEY) and include a hardcoded POST_BRIDGE_API_KEY default in the script. The code also tries to import a PostBridge client from an external path (../1ai-skills/marketing/post_bridge_client.py). These extras are not reflected in the skill metadata and are disproportionate to the declared requirements.

Runtime instructions and usage match the stated task (search Pexels, render text overlays, optionally host images, upload via PostBridge). The SKILL.md instructs creating a ~/.tiktok-slideshow workspace and uploading images to third-party services (ImgBB, PostBridge). That scope is expected, but SKILL.md and registry disagree about which env vars are required (POST_BRIDGE_API_KEY present in docs but not in declared requires.env). No instructions ask the agent to read unrelated system secrets, but the code attempts to load a PostBridge client from a sibling skills directory (reads outside its own package), which is unusual and broadens its runtime scope.

This is an instruction-only skill with bundled Python code; there is no installer that downloads arbitrary binaries or archives. Required system binaries (ffmpeg, curl) are declared and used by the code. No remote install URLs or extraction steps are present.

Registry requires only PEXELS_API_KEY, but SKILL.md and code expect POST_BRIDGE_API_KEY and optionally IMGBB_API_KEY and HOST_PROVIDER. Worse: the code contains a hardcoded POST_BRIDGE_API_KEY default (pb_live_BBLz9mjZkkL8q41tb2pwxq). Hardcoded credentials in source are a red flag (credential leakage, unknown owner/validity). Requesting additional hosting/uploader keys is reasonable for the upload flows, but these were not declared up front and so are disproportionate to the listed requirements.

The skill creates a persistent workspace under the user's home (~/.tiktok-slideshow) to store images, rendered output, scripts, and project metadata — this is expected for a content-creation tool. However the code also attempts to import a PostBridge client from an external sibling path (../1ai-skills/marketing/post_bridge_client.py), which means it may access code/config outside the skill bundle. always:false is correct; the skill does not demand elevated platform privileges but the cross-path import and persistent files increase its attack surface.