ClawHub

bluesky-skill

v1.0.1

Manage a Bluesky (bsky) account — posting, replies, likes, reposts, follows, blocks, mutes, search, timeline, threads, notifications, DMs, and profile update...

0· 180·0 current·0 all-time
byJohannes@johannesseikowsky
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (manage a Bluesky account) matches the requested binaries (python3), the two env vars (BLUESKY_HANDLE, BLUESKY_APP_PASSWORD), and the included Python CLI that calls the AT Protocol client. Nothing unrelated (e.g., cloud provider keys) is requested.
Instruction Scope
SKILL.md instructs running the included ./bsky Python CLI and installing atproto and python-dotenv. It requires a .env with the handle and app password and documents a session cache at ~/.bsky_session.json. The instructions stay within the Bluesky use case but explicitly require writing/reading credentials and a session token on disk; that is expected for this functionality but is sensitive.
Install Mechanism
No formal install spec; SKILL.md suggests pip install of atproto and python-dotenv. This is normal for a Python-only tool, but pip installs execute code from PyPI — run inside a virtualenv or inspect packages before installing. The repo does include the Python CLI source (scripts/bsky.py); there are no external downloads or obscure install URLs.
Credentials
Only two env vars (BLUESKY_HANDLE and BLUESKY_APP_PASSWORD) are required, which are exactly the credentials needed to operate the account. However, those credentials grant full account control (posts, follows, DMs, blocks, etc.), so they are high privilege and should be provided only to trusted code.
Persistence & Privilege
always:false (no forced inclusion). The skill creates a session cache at ~/.bsky_session.json containing an exported session token; this is persistent across runs and should be removed to revoke access. The skill does not request system-wide config modifications beyond that file.
Assessment
This skill appears to be what it claims: a Python CLI to manage a Bluesky account. Before installing or using it: (1) Understand that providing BLUESKY_HANDLE and BLUESKY_APP_PASSWORD gives the skill full control of your account (including DMs if enabled). Treat the app password like a secret. (2) The tool stores an exported session token at ~/.bsky_session.json — delete that file to force logout or revoke access. (3) The SKILL.md asks you to pip install dependencies — prefer a virtualenv or inspect the packages (atproto, python-dotenv) before installing. (4) The skill's source file is included (scripts/bsky.py); if you don't trust the publisher (no homepage provided), review that file yourself or run the CLI in an isolated environment. (5) If you plan to allow autonomous invocation by an agent, remember the agent could perform any account action using these credentials. If any of those points are unacceptable, do not install or provide your credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk973eksj32kv4kk0cm9xz8vsa582y0n9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
EnvBLUESKY_HANDLE, BLUESKY_APP_PASSWORD
Primary envBLUESKY_HANDLE

Comments