Clawpost
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawpost-2 Version: 0.1.3 The skill bundle is benign. All instructions and API calls in `SKILL.md` are directly related to the stated purpose of social media publishing via the ClawPost API. It uses `curl` to interact with `https://clawpost.dev` and requires a `CLAW_API_KEY` for authentication, which is standard practice. There is no evidence of data exfiltration, arbitrary command execution, persistence mechanisms, or malicious prompt injection attempts against the AI agent. The instructions are clear and helpful for the agent to perform its task.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could publish content publicly to a connected LinkedIn or X account if the user’s instruction is ambiguous or the agent acts too broadly.
The skill exposes direct public publishing through an API endpoint, including a no-draft workflow, but the visible artifact does not instruct the agent to obtain explicit user confirmation before publishing.
### Direct Publish (No Draft Step)
```bash
curl -s -X POST {{CLAW_API_URL}}/api/claw/v1/publish ...Only install if you are comfortable granting posting authority, and require manual review/confirmation before using publish, schedule, update, or delete actions.
Anyone or any agent with the API key may be able to access ClawPost functions for connected social accounts.
The provider API key is used to act against social accounts connected in the ClawPost dashboard. This is expected for the skill, but it is account-level delegated authority.
Connect platforms — In the Dashboard, connect LinkedIn and/or X (Twitter) accounts. ... Authorization: Bearer {{CLAW_API_KEY}}Store the API key securely, rotate it if exposed, and connect only the social accounts you intend the agent to manage.
The agent may view or use prior X/Twitter activity and associated metrics when working with the skill.
The skill can retrieve cached social profile history and engagement data from the provider. This is relevant to social optimization, but it means prior posts and metrics may be available to the agent.
Retrieve your X (Twitter) post history from the cached profile data... metrics, media, and reply context.
Review what account history ClawPost stores and avoid connecting accounts whose history you do not want available through the API.