ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Content Pro

v1.0.1

AI-powered social media content generator by Automaton. Viral content creation for TikTok, Instagram, Twitter, LinkedIn, Xiaohongshu.

0· 84·0 current·0 all-time
by@chenghaifeng08-creator
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill advertises auto-posting, account connections, performance analytics, and competitor analysis (features that normally require OAuth/API credentials and network access to social platforms). However, the registry metadata lists no required env vars or config paths for platform tokens, and package.json has no networking/OAuth dependencies. This suggests the advertised features are either simulated, incomplete, or the skill omits necessary integration steps.
!
Instruction Scope
SKILL.md shows usage examples that pass an apiKey in the constructor and call methods for scheduling, analytics, and competitor analysis, but it does not explain how to connect real social accounts, where to obtain platform tokens, or what the 'apiKey' is for. The runtime instructions do not direct the agent to access any system files or unexpected endpoints, but they are vague about external integrations required for the claimed capabilities.
Install Mechanism
There is no install spec that downloads external code or executes installers; package.json has no dependencies and there are no remote URLs in the manifest. The risk from installation is low based on provided files.
!
Credentials
No required environment variables are declared in the registry metadata, but index.js reads process.env.SOCIAL_CONTENT_API_KEY as a fallback and SKILL.md shows an apiKey parameter. More importantly, features like auto-post and analytics would normally require multiple platform-specific credentials (OAuth tokens, API keys) which are not requested or documented — a mismatch that could hide missing configuration or imply the skill simulates sensitive operations without making that explicit.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time scripts. It does not request elevated or persistent platform privileges in the manifest.
What to consider before installing
This skill appears functionally consistent for generating simulated content locally (viral hooks, hashtag suggestions), but it also advertises auto-posting, analytics, and competitor analysis without documenting how to connect real social accounts or where needed credentials come from. Before installing or providing any API keys: - Ask the author/maintainer: what is the constructor apiKey used for, and how do you connect real social accounts (OAuth flow, where are tokens stored)? - Inspect the rest of index.js (full file) for any network calls (fetch/https/request/axios) or hardcoded endpoints. If any exist, ask what endpoints are contacted and why. - If you plan to enable auto-posting, require explicit instructions about OAuth flows and where tokens are stored; never paste platform OAuth tokens into a skill without understanding the endpoint and storage. - Run the included tests locally in an isolated environment to see whether the module simulates data or actually attempts network access. Monitor outbound network traffic while running tests. - Prefer skills that clearly document required credentials and show secure token handling; if the skill only simulates analytics/competitor data, treat pro features (auto-post) as marketing claims unless proven otherwise. Given the omission of integration details and credentials, proceed cautiously — the code likely works as an offline generator, but the advertised live integrations are unproven and under-documented.
index.js:19
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973cv8wgfbkza3n8n30y095z183h79f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📱 Clawdis

Comments