Back to skill
Skillv1.0.1
ClawScan security
Social Publisher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 6:21 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's claims line up with an instruction-first social media content helper; the included code are inert help stubs and it requests no secrets — but some referenced resources and implementation details are missing and should be clarified before you rely on it for publishing.
- Guidance
- This skill is mostly an instruction/template pack: the included scripts are inert help text and the SKILL.md tells the agent how to generate calendars and posts but does not implement publishing or storage. Before installing or using it: (1) Confirm where and how publishing/scheduling is supposed to occur — the skill does not request API tokens or show integration code, so automatic posting likely isn't implemented yet; (2) Ask the author to provide the missing referenced files (TEMPLATES.md, BRAND_VOICE.md) and to explain how URL-based repurposing will fetch remote content and whether the agent will access user files; (3) If you plan to enable automated publishing, expect to later provide platform credentials (OAuth tokens/API keys) — verify the skill's handling and storage of those secrets; (4) Because the skill comes from an unknown source with no homepage, exercise normal caution and review any future changes that add network calls or credential usage.
Review Dimensions
- Purpose & Capability
- noteThe name/description (generate/schedule/repurpose social posts) is coherent with the skill contents: SKILL.md describes generation and calendar workflows and the small scripts are present. However, the scripts are simple help stubs (they only print HELP text) and several referenced files mentioned in SKILL.md (references/TEMPLATES.md, references/BRAND_VOICE.md) are absent from the manifest. Also SKILL.md mentions 'track published content' and scheduling/publishing but there is no code, env vars, or install spec showing how publishing or tracking would be performed (no API tokens, no webhooks, no scheduler).
- Instruction Scope
- noteThe runtime instructions stay within the stated domain (generate posts, make calendars, repurpose content). They do reference operations that require capabilities not included here: e.g., 'From URL' implies fetching remote content and 'schedule/publish' implies integration with social APIs. The SKILL.md does not specify how the agent should fetch URLs, where content is stored, or how to obtain API credentials — meaning actual publishing or remote fetch behavior is undefined and would depend on the agent's broader environment/policies.
- Install Mechanism
- okNo install spec is provided (instruction-only plus three tiny helper scripts). This is low-risk: nothing is downloaded or executed beyond the small local help scripts which contain no network or exec behavior.
- Credentials
- okThe skill declares no required environment variables, no primary credential, and no config paths. That is proportionate to the included files (which do not perform API calls). If you expect real publishing/scheduling, you should expect the need to supply platform tokens later — the skill currently does not request them.
- Persistence & Privilege
- okalways is false and disable-model-invocation is default (agent may invoke autonomously). The skill does not request persistent system-level privileges or to modify other skills/config; it appears to be a normal, non-privileged skill.