Neta Community
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a normal Neta community integration, but it uses an undeclared account token and includes commands that can like, comment, favorite, or follow on the user's behalf.
Review this skill before installing. Only provide NETA_TOKEN if you trust the Neta CLI package and are comfortable with the agent using your account. Ask the agent to confirm before liking, commenting, favoriting, or following/unfollowing anything, and delete any local cache files after use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used with a real token, the agent may be able to act as the user's Neta account for community interactions.
The skill requires an account/API token even though the registry metadata declares no required environment variables or primary credential; the token is then used with commands that can affect the user's Neta account.
Make sure the `NETA_TOKEN` environment variable is set.
Declare NETA_TOKEN in metadata, document the token scope, and require explicit user approval before any account-changing action.
The agent could post comments, favorite content, or follow/unfollow users if it interprets a request broadly.
The reference docs expose public/account-mutating social actions, but the skill does not specify a confirmation boundary or limit when the agent may run them.
`create_comment` — post a comment ... `subscribe_user` — follow/unfollow a user
Only allow these commands after the user explicitly selects the target and confirms the exact action and comment text.
The behavior ultimately depends on whatever version of the external npm package is installed at setup time.
The setup instructions use a global, unpinned '@latest' npm install. This is expected for a CLI-based skill, but the reviewed artifact does not include or pin the installed code.
npm i @talesofai/neta-skills@latest -g
Install only from a trusted package source, consider pinning a known version, and review the package before providing a token.
Personalized Neta community data could remain on disk after the task and be read later by other local processes or users.
The docs suggest saving feed results locally. This is useful and purpose-aligned, but the cached output may contain personalized feed, draft, creator, or session-continuity data.
Cache feed results to avoid repeated calls: ```bash neta-cli request_interactive_feed --page_index 0 > /tmp/feed_cache.json
Store caches only in private locations, avoid caching sensitive responses, and delete temporary files when finished.