Back to skill
Skillv1.0.0
VirusTotal security
Social Media Engine · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:39 AM
- Hash
- 5ecdab54f53e0ebe809ee3923b122fcbef7b4eff18e2b1e3fabf9b380fd65c70
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: social-media-engine Version: 1.0.0 The skill is classified as suspicious due to a vulnerability in `scripts/post-scheduler.js`. The script attempts to load API keys from `.env` files located in the skill's root, the current working directory (`process.cwd()`), and `~/.openclaw/`. While this is a common configuration pattern, it creates a risk of unintended information disclosure or misuse if other sensitive `.env` files exist in these locations and contain variables named `BUFFER_API_KEY` or `POSTIZ_API_KEY` (or their aliases). The script would then load and potentially use these unintended credentials for its API calls to Buffer or Postiz. There is no evidence of intentional malicious behavior such as arbitrary data exfiltration, persistence mechanisms, or prompt injection attempts to subvert the agent's core function.
- External report
- View on VirusTotal