Bluesky
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about using Bluesky credentials, but it lets an agent take public or account-changing social actions without clear approval limits.
Install only if you want an agent to be able to act on your Bluesky account. Use a dedicated revocable app password, require manual approval for public posts and engagement actions, and verify or pin the atproto dependency before use.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, an agent could publish or interact from the user’s Bluesky account in ways that may affect reputation, privacy, or account state.
The skill is intended for agent-driven social account actions, including public posting and engagement, but the artifacts do not require confirmation or define limits before those actions occur.
This skill provides a standardized way for autonomous agents and tools ... Responsive Automation: Thread-aware posting, replying, and quoting. ... Engagement: Structured likes and reposts. ... Blob-based media uploads and private content bookmarking.
Use only with workflows that require explicit user approval before posting, reposting, liking, quoting, uploading media, or bookmarking, and consider adding documented safety limits.
Anyone or any agent process with access to that app password may be able to perform supported actions on the Bluesky account.
The skill requires a Bluesky app password and handle. This is expected for authenticated Bluesky use, but it grants the agent delegated access to act as the account.
"BSKY_HANDLE": "<required>", "BSKY_APP_PASSWORD": "<required>" ... "secrets": ["BSKY_APP_PASSWORD"]
Use a dedicated Bluesky app password, never the primary password, store it only in the approved secret environment, and revoke it when no longer needed.
The runtime behavior depends on the installed atproto package version and source.
The skill depends on an external PyPI package without a pinned version, while the registry install section reports no install spec. This is normal for the stated purpose but leaves dependency provenance to the user.
Ensure the `atproto` Python library is installed: `pip install atproto`.
Install from a trusted package index, pin a reviewed atproto version where possible, and align registry install metadata with the documented dependency.