Bluesky

v0.1.7

Bluesky/AT Protocol orchestration skill for authenticated interaction with the Bluesky Social network: post, reply, like, repost, quote, bookmark, and upload...

⭐ 0· 243·0 current·0 all-time

by@heather-herbert

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill's name, description, SKILL.md, README, and code (lib/bluesky_agent.py) all align: it implements AT Protocol interactions and needs a Bluesky handle, PDS URL, and an App Password. However, the registry metadata at the top of the package declares 'Required env vars: none' and 'Primary credential: none', which contradicts the SKILL.md's declared required environment variables. This mismatch is a packaging/metadata coherence issue.

✓

Instruction Scope

SKILL.md instructions are limited to installing the atproto Python SDK, setting BSKY_PDS/BSKY_HANDLE/BSKY_APP_PASSWORD environment variables, and following AT Protocol practices (resolve handles, use TextEncoder, fetch latest cid). There are no instructions to read unrelated system files or exfiltrate data to third-party endpoints.

✓

Install Mechanism

There is no platform install spec, but the skill's own SKILL.md requests installing the atproto package via pip (pip install atproto). This is a standard package install; no arbitrary URL downloads or archive extraction are present. The included code imports atproto, which matches that install step.

Credentials

The environment variables requested in SKILL.md (BSKY_PDS, BSKY_HANDLE, BSKY_APP_PASSWORD) are appropriate and proportionate for authenticated Bluesky operations. The concern is the package/registry metadata does not list these required env vars or a primary credential, which could cause the platform to not surface the secret requirements properly to users. Confirm the platform will treat BSKY_APP_PASSWORD as a secret and will prompt for it before enabling the skill.

✓

Persistence & Privilege

The skill does not request always:true or other elevated persistent privileges. Default autonomous invocation is allowed (platform default), which is expected for an agent skill that can post on behalf of a user — be aware that if installed with credentials the skill can perform actions (post/like/repost) on your account.

What to consider before installing

This skill appears to implement exactly what it claims (authenticated Bluesky posting and media uploads) and asks for a Bluesky app password and handle — which is expected. However, the package/registry metadata omitted those required env vars, so verify before installing: 1) Confirm the platform will prompt you to provide BSKY_APP_PASSWORD and will treat it as a secret (do not paste your primary account password). 2) Review the referenced GitHub repo and the 'atproto' pip package to ensure they are the expected, official implementations (confirm package name, source, and recent activity). 3) Understand that once installed with your app password the skill can post/like/repost as your app; grant only the minimal app-password permissions and rotate/revoke the app password if you remove the skill. 4) If you need higher assurance, ask the maintainer to update the registry metadata to list required env vars/primary credential so the platform can surface permissions correctly.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦋 Clawdis

ATProtovk97dtavg0yjxkeh0y982gvacr982t8asBlueSkyvk97dtavg0yjxkeh0y982gvacr982t8asSocial-mediavk97dtavg0yjxkeh0y982gvacr982t8asatprotvk979ghm7akvxqyvgwsnvhe6q9d82tfgcatprotovk972vsbj5dqg4cbj28at90rkv982trrfblueskyvk972vsbj5dqg4cbj28at90rkv982trrfbluesky-botvk972vsbj5dqg4cbj28at90rkv982trrfcommunicationvk976dy9s9beyk8c99demma9ajx82t4zslatestvk974rt0pk4p3js6mx6shy1w6a582vzmmlatest, ATProto, BlueSky, Social-media, communication, social media, bluesky-botvk973q7t96zg8kzssk8bpfam3n182tk94social mediavk97fvpkqyfqcazdsz4nmgzgvv582tvajsocial-mediavk972vsbj5dqg4cbj28at90rkv982trrf

243downloads

0stars

8versions

Updated 46m ago

v0.1.7

MIT-0

Bluesky Skill

Advanced Bluesky/AT Protocol orchestration skill. This skill allows for authenticated interaction with the Bluesky Social network, including robust handling of rich text, media uploads, and thread management.

Provenance & Source

GitHub Repository: https://github.com/Heather-Herbert/openclaw-bluesky
Standard: Follows OpenClaw AT Protocol implementation patterns.

Configuration & Authentication

This skill expects the following environment variables to be set for secure operation:

BSKY_PDS: The PDS URL (default: https://bsky.social).
BSKY_HANDLE: Your full Bluesky handle (e.g., user.bsky.social).
BSKY_APP_PASSWORD: A unique App Password generated via Bluesky Settings.

Setup

Dependency: Ensure the atproto Python library is installed: pip install atproto.
Generate App Password: Go to Settings > Advanced > App Passwords in your Bluesky client.
Environment Variables: Configure your shell or OPENCLAW_ENV to include the variables listed above. Do not store your primary account password here.

Capabilities

post(text, { reply_to, embed, facets }): Create new posts. Threading requires root and parent references (uri+cid).
like(uri, cid): Like content.
repost(uri, cid): Repost content.
quote(text, uri, cid): Quote a post by embedding its Strong Reference.
bookmark(uri, cid): Private bookmarking (App View specific storage).
upload_blob(bytes, mimetype): Upload media (limit 1MB for images) before embedding.

Implementation Details

Handles vs DIDs: Always resolve handles to DIDs using the resolveHandle API before performing write operations.
Rich Text: Use TextEncoder to ensure byte-accurate byteStart and byteEnd for facets. Never rely on UTF-16 character indices.
Indexing: Always fetch the latest post cid before interacting (liking/reposting/quoting) to ensure valid Strong Reference anchors.