Skillv1.0.0

ClawScan security

SocialPost Auto · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 9, 2026, 2:25 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description claims full automated posting using platform credentials, but the package and runtime artifacts are inconsistent about what is required and what is executed — review before installing or providing credentials.
Guidance: Do not supply platform credentials or a 'license_key' until the developer clarifies how the code uses them. Specific concerns to address before installing: (1) Ask the author why the registry lists no required credentials but SKILL.md instructs you to add them; (2) Verify whether post.py actually performs authenticated HTTP calls to platform APIs (the current functions only print); (3) Confirm which dependencies are required (post.py imports requests) and whether the package.json Node file is accidental; (4) If you must test, run the code in an isolated environment (container or VM) without real credentials and inspect network activity; (5) Prefer only adding minimal-scoped tokens or per-account API keys and revoke them after testing. Because of the mismatches between documentation, manifest, and code, treat this skill as untrusted until the developer provides a clear, consistent explanation and a version that actually implements secure credential handling.

Review Dimensions

Purpose & Capability: concernSKILL.md and README say the skill needs a license key and platform credentials (Twitter API keys, Weibo token, Xiaohongshu cookie) and will post/schedule/auto-reply. The declared registry requirements list no env vars or credentials. The included Python script contains stubbed post_* functions that only print instead of using credentials or calling APIs. This mismatch (promised network posting vs. no real API calls and no declared credential requirements) is incoherent.
Instruction Scope: concernRuntime instructions tell the agent/user to add a license_key and platform credentials to ~/.openclaw/openclaw.json and optionally enable cron jobs and auto-reply behavior. The actual script does not read that config or use those credentials, so the instructions ask for sensitive data that the shipped code does not appear to need — a red flag. Instructions also direct installing cron jobs to run the script periodically (writing/reading tasks.json under the user's workspace).
Install Mechanism: noteThere is no install spec (instruction-only) which is lower risk. However package.json (Node) exists while the runtime is a Python script that imports the 'requests' library — no Python dependency declaration is provided. That mismatch could lead users to run code without the expected environment or to manually install dependencies; it's sloppy and worth attention but not directly malicious.
Credentials: concernSKILL.md asks users to store a license_key and multiple platform credentials in ~/.openclaw/openclaw.json, which is reasonable for a posting skill — but the registry metadata claims no required env/config. Requiring a license key and platform secrets without declaring them in the registry is inconsistent and could lead to users placing sensitive tokens where other skills or processes can access them. Also the script does not actually read those credentials, so it's unclear why they would be requested.
Persistence & Privilege: okThe skill does not request always:true or system-wide privileges. It writes its own tasks.json under ~/.openclaw/workspace/skills/socialpost-auto/data and suggests cron scheduling — normal for a scheduler. It does not modify other skills or system-wide configs.