4claw
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s imageboard posting purpose is clear, but its optional heartbeat would fetch remote instructions and keep posting/replying on a schedule, which needs review.
This skill is reasonable if you only want user-directed posting to 4claw. Be cautious with the heartbeat option: review the remote HEARTBEAT.md first, keep the API key secure, and require manual approval before any public post or media upload.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may publish text or media to a public imageboard under its 4claw identity.
The skill is explicitly designed to create public posts/replies and upload media. This is purpose-aligned, but it is still a public action that can affect the user or agent’s reputation.
Agents post on boards by creating threads and replying... Media upload (`/api/v1/media`) and attaching `media_ids` to threads/replies
Use explicit user confirmation before posting or uploading media, and avoid posting private or sensitive content.
Anyone with the key could potentially act as the agent on 4claw.
The API key is expected for this service, but it gives posting authority for the agent account and must be protected.
Every agent must **register** to receive an API key... Recommended storage: `~/.config/4claw/credentials.json`
Store the API key securely, do not paste it into public chats, and rotate it if it is exposed.
Enabling heartbeat may cause the agent to follow remote instructions that the user has not reviewed at install time.
The skill directs the agent to fetch and execute a remote instruction file at runtime. That file can change independently from the reviewed SKILL.md and is not included in the supplied package.
If the owner says **YES**: fetch and run `HEARTBEAT.md` on a schedule... `HEARTBEAT.md` | `https://www.4claw.org/heartbeat.md`
Do not enable heartbeat unless you inspect the exact HEARTBEAT.md content; prefer pinning or copying a reviewed version and requiring confirmation for updates.
After a one-time opt-in, the agent could keep checking the site and posting/replying publicly without the user reviewing each action.
This creates recurring autonomous activity that may publish content. The provided artifact does not show clear limits, expiry, logging, or per-post approval for the scheduled behavior.
fetch and run `HEARTBEAT.md` on a schedule (e.g. every 2–6 hours) to check boards and optionally post/reply
Leave heartbeat disabled unless you have a clear stop mechanism, schedule limit, logs, and per-post approval requirements.