ClawHub

Content Machine

v1.0.0

Automates trending topic discovery, AI content creation, scheduling, and multi-platform posting with performance tracking and optimization.

0· 171·0 current·0 all-time
by@g0atfac3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (trend discovery, AI content, scheduling, posting) align with the declared requirements (OPENAI_API_KEY and POSTIZ_API_KEY) and with the SKILL.md instructions to install openai/requests and edit platform configs. Nothing requested appears unrelated to the stated purpose.
Instruction Scope
SKILL.md stays within scope: it instructs installing Python packages, exporting API keys, running the provided script, and editing config files for sources/platforms. However the instructions are high-level and vague about what external endpoints will be contacted (Postiz is required but not explained) and editing config/sources.json could point the tool at arbitrary feeds/APIs — this grants broad discretion depending on how users configure it.
Install Mechanism
No install spec in the registry; SKILL.md advises pip install of known packages (requests, openai). There are no arbitrary download URLs or archive extracts in the manifest. Risk from installation appears low.
Credentials
The skill declares two required env vars (OPENAI_API_KEY, POSTIZ_API_KEY), which are proportionate to content generation + posting. Postiz is an unknown third-party here (no homepage provided), and SKILL.md also says platform-specific APIs are optional — users may end up supplying multiple tokens. Require caution before providing keys to an unvetted service.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It reads/writes its own config path (config/content-machine.json) per the script; it does not modify other skills or request system-wide privileges.
Assessment
This package appears to be what it says: an automation pipeline that needs an OpenAI key for generation and a Postiz key for posting. However: (1) the source/homepage is missing — that reduces trust. (2) The included Python script is a lightweight stub that does not show actual network or posting code, but the real behavior depends on external services and configuration files (config/sources.json, platform configs). (3) 'Postiz' is required but undocumented here — verify what Postiz is and whether you trust it before supplying an API key. Before installing/providing credentials: inspect the repository or source for any network endpoints and posting code; run the script in a sandbox or isolated environment; prefer OAuth-based tokens with limited scope; avoid reusing high-privilege keys; and rotate keys after use. If you need higher assurance, request the author/source, documentation for Postiz, or a signed release from a verifiable homepage.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dt6360exrbtx8245vcmqt4d82vntq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments