Content Machine
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create or schedule public posts that affect reputation, compliance, or connected social-media accounts if invoked without careful review.
Publishing to social platforms is a high-impact account action, and the artifacts do not require draft review or explicit confirmation before AI-generated content is scheduled or posted.
- Schedules and publishes to social platforms
Use test accounts first, require manual approval for each post and platform, limit post counts, and confirm that connected posting tools support cancellation or rollback.
Over-scoped or mishandled keys could incur model costs or allow posting through connected social accounts.
These credentials are purpose-aligned, but they grant paid AI usage and delegated posting authority; the registry-level requirements also under-declare these env vars.
**OpenAI API Key** or **Anthropic API Key** - For content generation; **Postiz API Key** - For posting to social platforms
Use dedicated, least-privilege API keys, set spending limits, avoid admin-wide social tokens, and revoke keys if the skill is no longer needed.
Dependency behavior could change over time or differ across environments.
The setup relies on unpinned external Python packages without an install spec or lockfile. This is normal for a Python integration, but the exact dependency versions are not fixed.
pip install requests openai
Install in an isolated environment and pin reviewed package versions before using the skill with real accounts or credentials.