ClawHub
Back to skill
v1.2.2

Simplified Social Media

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:49 AM.

Analysis

This skill is coherent with its purpose, but it can publish or schedule real social media content across multiple accounts through a remote service without a clearly documented final approval step.

GuidanceReview carefully before installing. If you use it, trust the Simplified provider, protect the API key, connect only necessary accounts, and require the agent to show a full preview and receive explicit confirmation before publishing or scheduling anything.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceMediumStatusConcern
SKILL.md
Always follow this sequence: Discover → Select → Compose → Publish ... You can post to multiple accounts in a single call ... Call `createSocialMediaPost` with the composed payload.

The skill documents a flow that can publish or schedule content to one or more real social media accounts, but the provided workflow does not include an explicit final user approval step before the mutating tool call.

User impactAn agent using this skill could create public or scheduled social posts on connected accounts, including multiple accounts at once, if the user has not set their own confirmation boundaries.
RecommendationRequire an explicit preview and user confirmation of the exact accounts, message, media, action, and date before any `createSocialMediaPost` call; prefer draft or reminder modes unless the user clearly asks to publish.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
"Authorization": "Api-Key ${SIMPLIFIED_API_KEY}"

The skill requires a Simplified API key for the remote MCP server, which is expected for this integration but is sensitive because it enables access to connected social media accounts.

User impactAnyone or any agent process with access to this API key may be able to act through the user's Simplified-connected social media accounts.
RecommendationUse a revocable key, keep it out of shared logs and repositories, connect only the accounts needed, and rotate the key if it may have been exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
This skill requires a connection to the Simplified Social Media MCP server at `https://mcp.simplified.com/social-media/mcp`. All tools ... are provided by this remote MCP server

Tool execution is delegated to a remote MCP server, so account lists, post content, scheduling requests, and analytics queries pass through that service.

User impactDraft post text, media URLs, account identifiers, and analytics requests may be sent to the remote provider as part of normal operation.
RecommendationInstall only if you trust the Simplified service and endpoint, and avoid sending sensitive unpublished content unless that data sharing is acceptable.