Viral Content Creator

The skill claims autoposting, platform integrations, analytics, and A/B testing across TikTok/Instagram/Facebook/Twitter/YouTube, but declares no required credentials, no config paths, and no install steps. Real multi-platform posting requires API keys/tokens and integration code; those are missing from the manifest.

SKILL.md instructs running scripts (e.g., scripts/generate_videos.py, scripts/autopilot.py), scheduling posts, tracking views/watch-time/conversions, and interacting with PostBridge. However the package contains only SKILL.md and package.json — the referenced scripts and any code to call platform APIs or collect analytics are absent, which is an incoherence and a potential red flag.

There is no install spec (instruction-only), so nothing will be downloaded or installed automatically. That minimally reduces supply-chain risk, but also means the skill as-published is incomplete (it points at scripts that aren't present).

The skill's functionality would reasonably require multiple service credentials (social platform API keys/tokens, PostBridge credentials, possibly analytics or affiliate tracking credentials), but requires.env lists none. This mismatch suggests either missing declarations or that the skill's instructions expect users to supply credentials ad-hoc, which increases risk.

The skill is not always-enabled and allows normal model invocation. It does not request elevated or persistent platform-level privileges in the manifest. The real concern is that its intended autonomous behavior (autopilot posting) would need credentials; those are not declared.