ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Social Post

v1.0.0

社交媒体自动化 - 自动发布到 Twitter/Instagram/LinkedIn

0· 231·0 current·0 all-time
by@dht9898-cell
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to automate posting to Twitter/Instagram/LinkedIn and run 24x7, but declares no API credentials or config paths and only requires curl. Posting to these platforms normally requires OAuth/API keys—those are absent. 'primaryEnv' is set to 'bash', which is not a credential and is incoherent with the stated purpose.
!
Instruction Scope
SKILL.md contains marketing text, an install command, and example pricing but no concrete runtime instructions or API endpoints for authenticating and posting, nor any guidance about how the claimed 24x7 automation is achieved. The instructions are too vague to perform the stated task.
Install Mechanism
This is instruction-only with no install spec or code—lowest install risk. The only declared required binary is curl, which is plausible for HTTP posting but insufficient by itself without credential handling.
!
Credentials
No environment variables or credentials are declared despite needing platform tokens to post. The declared primaryEnv 'bash' is not a secret or API credential and appears misused. This is disproportionate and inconsistent with the skill's function.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request elevated or persistent platform privileges in its metadata.
What to consider before installing
This package is inconsistent and incomplete. Before installing, ask the author for: (1) exact runtime steps and where code lives (source/repo), (2) how the 24x7 automation is implemented (service, daemon, scheduler), (3) which environment variables or OAuth tokens are required and how they are stored/secured, (4) API endpoints used for each social platform, and (5) an install spec or source code you can audit. Do not provide API keys or credentials until you can review the actual code and confirm where and how secrets will be used and stored. The 'primary credential: bash' entry is incorrect and a red flag—treat the skill as untrusted until these gaps are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ch65nxdwfne0f7av4nt92583f9cj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl
Primary envbash

Comments