ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GetPost - The API Platform for Bots

v1.0.0

The API platform for bots. Email, SMS, search, scrape, AI, domains, shipping - one API key.

0· 81·0 current·0 all-time
bydomm@dommholland
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes an API platform that matches the skill name/description (email, SMS, search, scrape, AI, domains, shipping). However the skill metadata declares no required credential even though the instructions require an API key (Authorization: Bearer gp_live_YOUR_KEY). This mismatch is unexpected and reduces transparency.
!
Instruction Scope
Instructions are limited to calling getpost.dev endpoints (signup, email, sms, search, scrape, ai, domains, webhooks, billing). They do not ask the agent to read local files or unrelated system state, but they do allow registering webhooks to arbitrary URLs and provisioning domains/DNS. Webhook registration and DNS changes can be used to exfiltrate data or take control of domains if misused; the SKILL.md gives no guidance or safeguards around that.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself.
!
Credentials
The documentation requires an API key to authenticate, and actions include billing (Stripe checkout/ direct card payments) and provisioning domains/DNS. Yet the registry metadata declares no required environment variables or primary credential. The missing declaration is an inconsistency and could lead to unclear handling/storage of secrets at runtime.
Persistence & Privilege
always is false and the skill doesn't request persistent system privileges or modify other skills. Autonomous invocation is allowed (default) but not combined with other privileged flags.
What to consider before installing
This skill documents a powerful, multi-capability API (email/SMS, scraping, AI, domain/DNS changes, webhooks, billing). Before installing: 1) Note the registry metadata does NOT declare the API key it requires — ask the provider how the key will be supplied and stored (prefer user-supplied, scoped, revocable key). 2) Be cautious with webhook registration and DNS/domain provisioning: these features can exfiltrate data or alter your domains — require explicit approval before registering external webhook URLs or changing DNS. 3) Treat billing endpoints carefully: use a separate/test account or card and verify pricing/limits. 4) Verify the service origin (getpost.dev) and review its privacy/security docs; the skill source is unknown with no homepage. 5) If you decide to proceed, limit the agent’s permissions, use minimal-scoped API keys, and monitor logs/credits for unexpected activity.

Like a lobster shell, security has layers — review code before you run it.

latestvk975gk58wpjcraprxxkkrq6p25837rtj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments