Agent Content Pipeline
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: agent-content-pipeline Version: 0.2.3 The skill defines a content pipeline with explicit human-in-the-loop approval. The `SKILL.md` clearly states that the AI agent is restricted from approving or posting content, which are critical security controls. Instructions for handling sensitive tokens (like X/Twitter `auth_token` and `ct0`) are directed at the human user for setting up the `content` CLI tool, not for the agent to extract or misuse. The skill installs its own `agent-content-pipeline` npm package, which is a standard mechanism for CLI-based OpenClaw skills. No evidence of data exfiltration, malicious execution, persistence, or prompt injection attempts to bypass agent safety was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the installed CLI mishandles or overuses these session tokens, it could affect the user's social-media accounts or publish content under their identity.
The skill expects the CLI to access local browser/session credentials for social-media accounts. This is purpose-aligned for posting, but it is high-impact account access and is not declared in the registry credential requirements.
LinkedIn | Browser profile ... X/Twitter | Firefox tokens ... Both platforms require password to post. Tokens are extracted from Firefox and encrypted locally.
Only use this with a trusted and inspected CLI package; prefer a dedicated browser profile or test account, avoid pasting tokens into chat, and rotate/revoke tokens if anything looks wrong.
The clean static scan only covers the included files, not the npm package that would actually run locally.
The skill depends on an external npm CLI package, but the provided artifact set contains no CLI source code for review. That matters because the external code appears responsible for posting and credential handling.
"install": [{ "kind": "node", "package": "agent-content-pipeline", "bins": ["content", "content-pipeline"] }]Review the npm package/source before installing, pin a known version if possible, and install it only in an environment where you are comfortable granting social-account access.
Running the wrong command or approving the wrong file could publish unintended content or change review status.
The documented CLI can change workflow state and publish content. The skill frames these as human-controlled and confirmation-gated, so this is expected but still high-impact if misused.
content mv <dest> <file> # Move file to drafts/reviewed/revised/approved/posted content post <file> # Post (prompts for confirmation)
Use `content post --dry-run`, verify the file and platform before posting, and do not let the agent run approval or posting commands.
Private draft content and review feedback may remain on disk after the posting workflow is complete.
The workflow stores persistent review-thread logs locally. This is purpose-aligned, but those logs may contain unpublished drafts, feedback, or strategy.
.content-pipeline/threads/ — feedback thread logs (not posted)
Keep the workspace private, avoid committing these folders accidentally, and periodically clean up old drafts and thread logs.