Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Multi-Platform Poster
v0.1.0一键发布内容到微信、微博、知乎、小红书和抖音,支持格式自动适配、定时发布及效果数据追踪分析。
⭐ 1· 323·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description claim multi-platform posting, scheduling and analytics; SKILL.md and README consistently describe those features and list sensible platform credentials and dependent helper skills. This capability legitimately requires the platform credentials the docs mention, so the high-level purpose aligns with the requested capabilities — but the registry metadata lists no required env vars, which is an inconsistency.
Instruction Scope
SKILL.md focuses on adapting content, scheduling, posting and tracking; it does not instruct the agent to read unrelated system files or exfiltrate data. It instructs binding platform accounts in ClawHub settings and references dependent skills for publishing and image handling, which is within scope for a poster skill.
Install Mechanism
No install spec and no code files (instruction-only). This minimizes on-disk install risk. The skill references other skills (wechat-article-publisher, humanizer, image) but does not fetch arbitrary archives or run downloads — appropriate for an instruction-only skill.
Credentials
SKILL.md and README enumerate many sensitive credentials (AppID/AppSecret, client keys/secrets, API keys) which are proportionate to posting and analytics across multiple platforms. However, the registry metadata declares no required environment variables or a primary credential. That mismatch is concerning because it is unclear where and how those secrets are expected to be provided, stored, or used (ClawHub UI binding is referenced but not detailed).
Persistence & Privilege
Skill is not marked always:true and is user-invocable. No claims of modifying other skills or system-wide settings. Expected behavior for this type of skill.
What to consider before installing
This skill appears to be what it says (a cross-posting helper) and legitimately needs platform credentials, but the package metadata does not declare those env vars while the documentation lists them — that's an inconsistency you should resolve before provisioning any secrets. Before installing or binding accounts: 1) Ask the publisher (or ClawHub) where credentials are stored (encrypted in ClawHub UI? sent to external servers?), and whether OAuth token flows are used rather than storing raw secrets. 2) Verify which component actually performs API calls (this skill vs dependent skills) and inspect those implementations or request source/homepage since the skill's source is unknown. 3) Limit privileges: use per-platform test accounts or create API apps with minimal scopes. 4) Confirm data/analytics endpoints and retention policy, and whether any third-party servers receive your content or credentials. If you cannot get clear answers or source code/homepage, treat the skill as higher risk and avoid providing production credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97dqpq1hkv3126f3bparjjvax82vcgd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.