Back to skill
Skillv1.0.1
ClawScan security
Publer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 1:16 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credentials are consistent with its stated purpose of posting and scheduling content via the Publer API.
- Guidance
- This skill appears to do what it says: upload local files and create/schedule posts using Publer. Before installing: (1) Only provide a Publer API key and workspace ID if you trust Publer and the environment running the skill — the API key can be used to publish content for that workspace. (2) Do not store secrets (API keys) in repository files like TOOLS.md or commit them to source control. (3) The script will upload any file paths you pass to it — avoid passing sensitive local files. (4) You may want to run it in a restricted environment or inspect network traffic to confirm it only talks to app.publer.com. If you need tighter security, consider creating a least-privilege API key (if supported) and rotating keys after use.
Review Dimensions
- Purpose & Capability
- okName and description match the implemented functionality. The skill requires python3 and Publer API credentials (PUBLER_API_KEY, PUBLER_WORKSPACE_ID), which are exactly what a Publer client would need. Included scripts implement account listing, media upload, posting, scheduling, and job polling against app.publer.com.
- Instruction Scope
- noteSKILL.md instructions stay within the posted purpose (upload local media, create/schedule posts, poll jobs). It does instruct storing API keys in a local file (TOOLS.md) as an option — this is operational guidance but users should avoid committing secrets to VCS. The README/example references PUBLER_TIKTOK_ACCOUNT_ID as an optional env var for examples; the code itself does not implicitly read any env var beyond the two required ones.
- Install Mechanism
- okThis is instruction-only with a small pip dependency (requests) listed in requirements.txt and an optional install hint in SKILL.md. No downloads from arbitrary URLs or archive extraction are present.
- Credentials
- noteOnly PUBLER_API_KEY and PUBLER_WORKSPACE_ID are required and declared; those are appropriate for the described API operations. SKILL.md mentions PUBLER_TIKTOK_ACCOUNT_ID as an optional convenience variable (not declared as required) — that's reasonable. Users should be aware that the API key grants posting abilities to the workspace, so treat it as sensitive.
- Persistence & Privilege
- okThe skill does not request permanent/always-on privileges (always: false). It does not modify other skills or system-wide agent settings. Autonomous invocation is allowed by default but not combined with other privilege escalations here.