ClawHub

Social Posting for Openclaw

v1.1.8

Post to X (Twitter), LinkedIn, Facebook, and TikTok via Claw Post API. Search for Facebook groups, join them, and post to them. Use when the user wants to pu...

0· 83·1 current·1 all-time
byDaydream Nation Tech Labs LLC@daydreamnationtechlabs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth tokenPosts externally
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the runtime instructions: SKILL.md documents calls to api.clawpost.net endpoints for posting, media upload, group search/join, and job polling. Requesting a single CLAWPOST_API_KEY as the primary credential is proportional to a service-fronted posting tool. No unrelated credentials, binaries, or system paths are requested.
Instruction Scope
Instructions stay within the stated scope: they show HTTP requests to Claw Post endpoints and direct humans to sign up, install and pair a Chrome extension, and log into target social sites. The only out-of-band action is the required browser extension which will operate on the user's social-site sessions; SKILL.md claims 'no social-platform creds leave the browser' and tells users to verify extension permissions, but the skill bundle contains no code for the extension or the remote service so that claim cannot be validated from this package alone.
Install Mechanism
This is instruction-only (no install spec or bundled code), so the skill itself writes nothing to disk. The only installation dependency is an external Chrome extension the human must install from the Web Store; that extension and the hosted API are outside the skill bundle and were not provided for review.
Credentials
Only CLAWPOST_API_KEY is required and is declared as the primary credential in metadata and clawhub.json. That single API key is proportionate to the claimed service model (one-API-key tenant access). No other secrets or system config paths are requested.
Persistence & Privilege
always:false (default) and autonomous invocation is permitted (platform default). That combination is expected, but be aware: if the agent is allowed to run autonomously, it can create jobs that cause the paired browser extension to join groups and publish posts on behalf of the user. This is powerful operational capability and should be limited or audited according to your risk tolerance.
Assessment
This skill is internally coherent, but it depends on a Chrome extension and a hosted API you cannot audit from this bundle. Before installing or enabling it: (1) Inspect the Chrome Web Store listing, reviews, and extension permissions; prefer extensions with source code or a published privacy/security audit. (2) Read clawpost.net/docs, privacy policy, and terms to learn how session data and posted content are handled and retained. (3) Store CLAWPOST_API_KEY in a secrets store (not in plaintext), rotate the key after testing, and grant the agent the minimum invocation privileges (or require explicit user confirmation) so it cannot autonomously post at scale. (4) Test with a low-risk account or small audience before using on production accounts. If you want higher assurance, request the extension source or third-party audit reports from the operator — absence of those increases residual risk and would lower confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dm15jp11z1r98pbfxkjte598499c0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvCLAWPOST_API_KEY
Primary envCLAWPOST_API_KEY

Comments