Genviral - Social Media Automation
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about Genviral social-media automation, but its default direct posting and recommended cron jobs can publish content from your accounts without per-post human approval.
Use this skill only if you are comfortable giving an agent access to create and manage Genviral/social posts. Before enabling cron, set explicit account IDs, switch to draft/manual review where possible, and confirm you can stop the scheduled jobs and revoke the API key.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your connected social accounts could keep publishing scheduled content even when you are not actively supervising the agent.
This explicitly creates ongoing scheduled agent activity that can generate and post social content after setup. It is disclosed and user-directed, but it can keep operating without a human reviewing each post.
These run your agent on a schedule so content gets generated, posted, and reviewed without manual intervention.
Start with manual or draft-only posting, add a human approval step before publishing, and disable/remove cron jobs when you no longer want automation.
Generated content may be posted publicly to connected accounts instead of being held for review.
The default posting settings favor public direct publishing rather than a draft/review mode. For generated social posts, that is a high-impact default unless the user changes it.
privacy_level: "PUBLIC_TO_EVERYONE" post_mode: "DIRECT_POST"
Change defaults to draft or private mode where supported, specify only intended account IDs, and require explicit confirmation before direct posting.
Anyone or anything that can use this API key may be able to create, schedule, inspect, or modify content through Genviral within that key's scope.
The script uses a Genviral bearer API key for authenticated API calls. This is expected for the provider integration, but it grants delegated authority over the user's connected Genviral/social accounts.
API_KEY="${GENVIRAL_API_KEY:-}" ... -H "Authorization: Bearer ${API_KEY}"Use a dedicated, revocable API key with the least permissions available and rotate/revoke it if the skill is no longer needed.
Old notes, metrics, or incorrect strategy updates could shape future posts, especially when cron automation is enabled.
The skill intentionally stores local performance and strategy context that is reused for future content decisions. This is purpose-aligned, but persistent state can influence later automated posts.
It keeps a performance log, distills insights, and rewrites its own strategy over time.
Review the performance, hooks, and context files regularly and avoid storing confidential product or audience information unless you intend the agent to reuse it.
If that local env file contains unintended commands, they would run when the Genviral wrapper is invoked.
The wrapper sources a local environment file to load settings such as the API key. This is a common setup pattern, but sourcing executes shell content in that file when the script runs.
[[ -f "${HOME}/.config/env/global.env" ]] && source "${HOME}/.config/env/global.env" 2>/dev/null || trueKeep the env file limited to variable assignments and only source files you control and trust.