CodivUpload Social Manager (via codivupload.com)
ReviewAudited by ClawScan on May 7, 2026.
Overview
No malicious behavior is evident, but this skill can use an API key and OAuth-connected accounts to publish or schedule real social media content.
Install only if you want an agent to manage real social media accounts. Use a narrow per-workspace API key, test with drafts or a single platform first, review every public post or livestream action, and verify the optional MCP package before installing it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad prompt could publish, schedule, or cross-post content to real public accounts.
The skill is intended to cause external actions on social platforms, including publishing and scheduling content.
Schedule social media posts, publish content, cross-post to multiple platforms... single-prompt posting and multi-platform cross-posting
Use drafts or scheduled posts when possible, review platform/profile/media/caption/time before approval, and start with a single-platform test.
Anyone or any agent action with access to a broad key could act on connected profiles within that key’s permissions.
The skill relies on a bearer API key and OAuth-connected social accounts, so the agent’s authority depends on the account and key scopes.
connect social accounts via OAuth → generate an API key... set it via `openclaw config set CODIVUPLOAD_API_KEY=...`
Use the narrowest available API key scope, prefer per-workspace keys, avoid pasting keys into chat, and revoke/rotate keys if exposed.
Installing the optional package expands the trusted software supply chain beyond the instruction-only skill.
The optional MCP server would add external package code/tooling, though it is pinned and explicitly optional.
Optional companion: `codivupload-mcp@2.0.0` (exact pin, verify publisher + integrity before installing). Skill works fully without the MCP server.
Skip the MCP package unless needed; if installing it, verify the publisher, version, and integrity hash.
One bad prompt or incorrect asset could be amplified across several social accounts or continue running longer than intended.
The documented workflows can fan out one instruction across multiple public platforms or start a long-running stream.
"Schedule this video to post on TikTok, Instagram, and YouTube tomorrow at 9am" ... "Set up a 24/7 YouTube live stream"
Limit platforms per request, confirm the exact target profiles, and ensure you know how to cancel scheduled posts or stop livestreams.