ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Вконтакте - публикация постов, фото и видео. Диалоги с посетителями. NodeJS

Manage VK.com (Vkontakte) community: post content (text, photos, videos) and handle messages. Use for automating community management via VK API.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.8k · 0 current installs · 0 all-time installs
by@RuslanLanket
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name, SKILL.md, and scripts/vk_cli.js all consistently implement VK community management (posting, uploads, long‑poll messaging). However the registry metadata declares no required credentials or environment variables while the SKILL.md explicitly requires a VK Access Token (a User Token with wide scopes). That metadata mismatch is an incoherence: a consumer would expect the required token to be declared in the skill manifest.
Instruction Scope
Runtime instructions are scoped to VK API actions (posting, uploads, messages, Long Poll). They do not request unrelated system files or other secrets. Two operational risks to note: (1) the SKILL.md shows passing the access token as a CLI argument (e.g., node scripts/vk_cli.js post $TOKEN ...), which exposes the token to process lists and shell history; (2) the docs recommend using a third‑party site (vkhost.github.io) to obtain a permanent User Token — relying on external token generators can be risky and should be verified.
Install Mechanism
No install spec is present (instruction-only with included script). Nothing is downloaded or executed automatically by an installer. The only executable artifact is scripts/vk_cli.js; no remote install URLs or extract operations were observed.
!
Credentials
The skill legitimately needs a VK access token with broad scopes (wall, groups, photos, video, messages, offline) to perform the advertised operations, but the skill metadata does not declare any required env vars or a primary credential. Requiring a full‑privilege User Token is proportionate to the capability but is sensitive — the manifest should explicitly declare this requirement and clarify minimum scopes. The recommendation to use an external token service increases risk if users hand credentials to an untrusted site.
Persistence & Privilege
The skill does not request 'always: true' and does not attempt to change other skills' configurations or persist across agents. It runs as a CLI script invoked by the user; autonomous invocation is allowed by default but is not combined with other high‑privilege red flags here.
What to consider before installing
This skill appears to be a straightforward VK CLI for community management, but stop and consider these points before installing or running it: - The skill requires a VK Access Token (a 'User Token' with wide scopes). This is sensitive — treat it like a password. The package metadata does not declare this requirement, so don't assume the skill will protect or store your token safely. - Passing the token as a command‑line argument (the examples do this) exposes it to process listings and shell history. Prefer providing the token via a secure environment variable, a file with restricted permissions, or other safer means. - The documentation suggests using a third‑party site (vkhost.github.io) to obtain a permanent token. Verify the trustworthiness of any external token provider before entering credentials — better to create your own app or use official dev.vk.com flows if possible. - Review scripts/vk_cli.js yourself (or run it in an isolated environment) to confirm it only talks to api.vk.com and VK upload URLs; there is no obfuscation, but you should verify network destinations and test with a least‑privilege token first (community token) where feasible. - Because the manifest omitted the required credential declaration, be cautious: ask the publisher (or avoid installing) until the metadata accurately lists the required token and scopes. If you proceed: run in a sandboxed environment, use a token with minimal scopes you need, avoid CLI token arguments, and verify the token provider and code before giving it full administrative (User Token) credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk97a9kx5jpzpr3fanxw9q63y9n80cchd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

VK Community Management

This skill allows you to manage a VK community using the VK API.

Requirements

  • VK Access Token. Важно: Используйте User Token для полных прав (удаление постов, простая загрузка фото). См. references/api.md для деталей.
  • Node.js environment.

Core Workflows

1. Posting to the Wall

To post to a community wall:

  1. Если есть медиафайлы, загрузите их:
    • node scripts/vk_cli.js upload-photo $TOKEN $GROUP_ID "./image.jpg"
  2. Используйте post с полученным ID вложения:
    • node scripts/vk_cli.js post $TOKEN -$GROUP_ID "Текст поста" $ATTACH_ID

2. Handling Messages

To respond to user messages:

  1. Fetch history with get-messages.
  2. Send a reply with message.

3. Real-time Monitoring (Long Poll)

To receive and process messages instantly:

  1. Ensure Long Poll API is enabled in your group settings (Manage → API Interaction → Long Poll API).
  2. Use the poll command:
    • node scripts/vk_cli.js poll $TOKEN $GROUP_ID 1 (where 1 means auto-mark as read).

Note: This skill works best with a User Token that has messages,wall,groups,offline permissions. Use VK Host to get a permanent token.

Advanced Features

For details on setting up Long Poll and specialized API methods, refer to references/api.md.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…