ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Postproxy

v0.1.0

Call PostProxy API to create and manage social media posts

0· 1.6k·3 current·3 all-time
by@danbaranov
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes exactly how to call the PostProxy API (endpoints, bearer auth, payloads) which is coherent with the name/description. However the registry metadata lists no required env vars/credentials while the instructions require POSTPROXY_API_KEY — a clear metadata/instruction mismatch that should be corrected.
!
Instruction Scope
The instructions instruct using curl with a Bearer token and include examples for multipart file uploads (e.g., -F "media[]=@/path/to/image.jpg"). That implies the agent will read local filesystem paths supplied to it. The SKILL.md also expects the POSTPROXY_API_KEY from the environment. The skill does not instruct collecting other unrelated system files, but the file-upload examples mean the agent may be asked to access arbitrary local files — a privacy/exfiltration risk if misused.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an installer. That is the lowest-risk install model.
!
Credentials
Requesting a single service API key (POSTPROXY_API_KEY) is proportionate for an API client. The concern is that the registry metadata does not declare this required environment variable while the SKILL.md requires it — a mismatch that could cause users to unknowingly provide credentials. Additionally, because examples show uploading local files, a provided API key could be used to transmit files from the host if the agent is instructed to do so.
Persistence & Privilege
The skill does not request always: true, has no install behavior, and does not claim to modify other skills or system-wide settings. Normal autonomous invocation is enabled (platform default) and not in itself a red flag here.
What to consider before installing
This skill appears to be a simple PostProxy API wrapper, but take these precautions: (1) The SKILL.md requires POSTPROXY_API_KEY but the registry metadata doesn't declare it — confirm with the author before supplying credentials. (2) The examples show uploading local files (media[]=@/path/to/file); avoid giving the skill broad filesystem access or uploading sensitive files. (3) There is no source or homepage listed — try to verify the publisher and the service (https://app.postproxy.dev) and prefer using a scoped/limited API key or a test account. (4) If you install, start in a sandboxed environment and monitor network calls; revoke the key if behavior is unexpected.

Like a lobster shell, security has layers — review code before you run it.

latestvk977yw6ychrpmvqfw5sjm2jp5980kch1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments