ClawHub

Clawbsky

v1.1.4

Advanced Bluesky CLI with support for media (images/video), thread creation, and automated growth tools like non-mutual following cleanup.

0· 354·0 current·0 all-time
bysugatai@jyothish12345
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Bluesky CLI with media and growth tools) align with required binaries (ffmpeg/ffprobe) and declared env vars (BLUESKY_HANDLE, BLUESKY_APP_PASSWORD). Declared npm dependencies (@atproto/api, fluent-ffmpeg, dotenv, tsx) are consistent with the described functionality.
Instruction Scope
SKILL.md commands map to existing scripts (post, delete, thread, growth commands). Runtime instructions and code operate on bsky.social and video.bsky.app endpoints only, and the code includes file-path validation to avoid shell injection. The SKILL.md cautions about rate limits and app passwords, matching the code's dry-run and rate-sensible patterns.
Install Mechanism
There is no platform install spec, but the project provides package.json and instructs users to run npm install. Dependencies come from npm registry (no arbitrary URL downloads or extract operations). This is a normal pattern but means running npm install will fetch third-party packages—review package.json and consider installing in an isolated environment.
Credentials
Only BLUESKY_HANDLE and BLUESKY_APP_PASSWORD are required (BLUESKY_APP_PASSWORD is primary). These are proportionate to a CLI that logs into a Bluesky account. The SKILL.md explicitly instructs use of App Passwords and warns not to use main account passwords.
Persistence & Privilege
The skill is not always:true and is user-invocable (defaults). Model invocation is allowed (default), so an autonomous agent could call the skill. Combined with automated growth commands (follow-all, unfollow-non-mutuals), this means you should be cautious about allowing unattended/autonomous runs that could perform account actions.
Assessment
This skill appears coherent for a Bluesky CLI: it legitimately needs ffmpeg/ffprobe and the two Bluesky env vars. Before installing or giving an App Password: 1) verify the GitHub repo/source and review package.json and the scripts (npm packages will be installed); 2) prefer creating and using a limited App Password (not your main password) and revoke it after testing; 3) run potentially destructive commands (follow-all, unfollow-non-mutuals) with --dry-run first and keep conservative -n limits; 4) run npm install in an isolated environment (container/VM) if you want extra safety; 5) be cautious about allowing autonomous agents to invoke this skill unattended because it can perform account actions. If you want, I can point out specific lines in the code that implement follow/unfollow behavior for closer review.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e1ep1qx3faj0fyeftt9akyh81vb7c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsffmpeg, ffprobe
EnvBLUESKY_HANDLE, BLUESKY_APP_PASSWORD
Primary envBLUESKY_APP_PASSWORD

Comments