Social Poster
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is purpose-aligned, but it can publish social posts through an embedded API key to an external service without clear account ownership, scope, or confirmation controls.
Review carefully before installing. Only use it if you are comfortable sending post text to the VibePost/Replit endpoint and if the publisher clarifies which account will post, how the API key is controlled, and that the agent will ask for approval before publishing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could publish a social post before the user has clearly reviewed and approved the final message.
The documented workflow directly publishes content to a social platform; the artifacts do not require preview, confirmation, account selection, or rollback for this public action.
node skills/social-poster/scripts/post.mjs --text "Hello world" [--platform twitter]
Require explicit user confirmation with the exact final text, platform, and target account before posting.
Posts may be made through a shared or unknown credential/account, making ownership, authorization, revocation, and auditability unclear.
The script embeds an API key that authenticates posting requests, while the metadata declares no primary credential or required environment variable.
const API_KEY = 'quack_5c6786fb...'; ... 'x-quack-api-key': API_KEY
Remove the hardcoded key, require a user-provided secret through a declared environment variable or credential store, and clearly document account scope and permissions.
Anything included in the post text is transmitted to the VibePost service.
The post text is sent to an external VibePost API endpoint before publication, which is expected for this skill but still creates a third-party data boundary.
fetch(url, { method: 'POST', ... body: JSON.stringify({ text: args.text, platform: args.platform }) })Do not include private or sensitive information in posts, and the skill publisher should document the external service operator and data handling policy.
Users have limited information to verify who operates the posting service or where the skill came from.
The registry information does not provide a verifiable source or homepage for a skill that relies on an external posting API.
Source: unknown; Homepage: none
Provide a source repository, homepage, maintainer identity, and documentation for the VibePost API.