ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Media Autoresearch

v5.0.0

The complete god-tier autonomous social media system. Runs 24/7 with zero human intervention. Discovers videos → generates clips → posts → runs browser engag...

0· 67·1 current·1 all-time
byDuola@duolahypercho
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description (autonomous social media pipeline) aligns with the included scripts (discovery, clip generation, posting, engagement, collector, evaluator, evolver). However the published metadata declares no required binaries, env vars, or credentials, while the SKILL.md and many scripts clearly require system tools (yt-dlp, ffmpeg, Whisper/whisper CLI), the Postiz CLI, and various API keys/integration tokens (Postiz API key, Wayin cloud integrations, optional VIDEO_ANALYZER_API_KEY). That mismatch (manifest says 'none' but files expect many dependencies/keys) is inconsistent and unexplained.
!
Instruction Scope
SKILL.md instructs installing packages, editing config files with API keys, running an autonomous_loop and adding cron jobs via openclaw cron add (scheduling 24/7 runs). It also references browser automation for 'engagement' and comment injection scripts. The instructions ask the agent to run scripts that will download external videos, post content to accounts, and perform browser interactions — all within the skill's purpose — but the instructions are missing explicit warnings about required credentials and the potential for automated account actions that could violate platform terms. The scripts also spawn 'sub-agent' prompts (writing analysis prompts to /tmp) and frequently call external binaries via subprocess, which the metadata did not surface.
Install Mechanism
There is no formal install spec in the registry (instruction-only), which is lower mechanical risk. SKILL.md tells users to run pip/npm/brew commands (pip install yt-dlp/openai-whisper, brew install ffmpeg, npm -g postiz), including an affiliate link for Postiz. These are common developer installs but they are executed by the user (not automatically by the skill). No remote archive downloads or obscure URLs were used by an install spec, but the affiliate link and global npm install are noted for user awareness.
!
Credentials
The declared requirements list no environment variables or primary credential, but many files and the documentation expect secrets/config: config/platforms.json includes a POSTIZ api_key placeholder; references mention VIDEO_ANALYZER_API_KEY, VIDEO_ANALYZER_BASE_URL, and Wayin integration settings. Posting and engagement will require platform credentials or integration tokens. The absence of declared env vars in the skill metadata is a clear inconsistency — required credentials are needed at runtime but not surfaced to the installer.
Persistence & Privilege
always:false (good). However SKILL.md explicitly tells the user how to add cron jobs via openclaw cron add to run the master loop every 6 hours and schedule daily evaluation — instructions that, if followed, give the agent autonomous, persistent execution over time. Autonomous invocation itself is normal for skills, but users should be aware this setup creates long‑running automated posting/engagement behavior that can have wide impact if misconfigured.
What to consider before installing
This skill contains a full autonomous pipeline (download videos, generate clips, post to platforms, and run automated browser engagement). Before installing or running it: 1) Inspect config files (config/platforms.json, config/channels.json, config/strategy.json) and identify all API keys/tokens the code expects (Postiz API key, Wayin/clip service keys, any analytics or model API keys). 2) Don't assume metadata lists requirements — you will need system binaries (yt-dlp, ffmpeg), Whisper/whisper CLI or Python package, and the Postiz CLI. 3) Test locally in an isolated environment and with non‑production accounts — automated posting and browser engagement can violate platform policies or lead to account suspension if misused. 4) Be cautious about enabling the cron scheduling instructions; only add recurring jobs once you have fully reviewed and tested the scripts and credentials. 5) If you want to proceed, run scripts manually first (health_check.py, run a single loop) and confirm which secrets are required; do not provide unrelated credentials. If anything is unclear (which env vars are absolutely required, what the engagement scripts do exactly), ask the maintainer for a minimal runtime checklist or refuse enabling autonomous cron jobs until satisfied.

Like a lobster shell, security has layers — review code before you run it.

latestvk971zvcqhgpb5wn3eggeq6ymv583fp6k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments