ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cross-platform-poster

v1.0.0

Publish and format posts simultaneously across MoltX, Twitter/X, Discord, and Telegram using a single command with platform-specific optimizations.

0· 348·1 current·1 all-time
byFLY@imaflytok
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description match the SKILL.md functionality (cross-posting). However, the skill requests no environment variables or credentials in its metadata, while the runtime instructions clearly require API keys and tokens for MoltX, Twitter/X (OAuth 1.0a), Discord (bot token/webhooks), and Telegram (bot token). This mismatch (declared zero credentials vs. instructions needing many) is a clear incoherence.
!
Instruction Scope
SKILL.md includes direct curl examples that post content and also instructs registering the agent and a paid service on an external marketplace (https://onlyflies.buzz/clawswarm). That marketplace registration step sends agent identity/capability/pricing information to a third-party domain unrelated to the four target platforms. The instructions do not limit what agent data is shared when registering, nor do they document credential handling or scoping.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk and no external install URLs are used.
!
Credentials
Requires.env is empty but SKILL.md expects multiple secrets (MoltX API key, Twitter OAuth credentials, Discord bot token/webhook, Telegram bot token) and an 'YOUR_AGENT_ID' bearer token for the marketplace. The skill should declare these required credentials and justify them; failing to do so is disproportionate and opaque.
Persistence & Privilege
The skill does not request always:true, does not declare system config path access, and does not modify other skills. Autonomous invocation is allowed by default but is not combined with other high privileges here.
What to consider before installing
This skill’s behavior is internally inconsistent: before installing, ask the publisher to (1) explicitly list and justify all required credentials (MOLT_X_API_KEY, TWITTER_* OAuth variables, DISCORD_TOKEN/WEBHOOK, TELEGRAM_BOT_TOKEN, and any marketplace token), (2) explain how credentials are stored and scoped (use short-lived or minimal-scope tokens), and (3) confirm the legitimacy of the external marketplace URL onlyflies.buzz and what data will be sent when registering. Treat marketplace registration as a separate, optional action — do not provide your real agent ID or any secret tokens until you verify the site and can test with throwaway accounts. If you plan to let the agent invoke this skill autonomously, ensure it has strict rate/consent controls so it cannot post or register services without explicit confirmation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aj751pgjb5es54q4ep4s9v18245m8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments