ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Content Auto Poster

v1.0.0

自动发布内容到多个平台,支持微信公众号、微博、知乎等平台定时发布。

0· 72·0 current·0 all-time
by@linbo405
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description say it will post to WeChat, Weibo, Zhihu, etc., and collect stats, but the package declares no required credentials, no APIs, and no install steps. Realistically this capability requires platform credentials, OAuth flows, or API client configuration — their absence is inconsistent.
!
Instruction Scope
SKILL.md is a high-level product spec (inputs/outputs/config) but includes no runtime instructions for authentication, API endpoints, or how to perform posting/scheduling. That vagueness gives the agent broad discretion (e.g., it might prompt for credentials or call unknown endpoints) and is a scope/clarity problem.
Install Mechanism
No install spec and no code files — lowest-risk form from an install/execution perspective. Nothing will be written to disk by an installer because none is provided.
!
Credentials
The skill requests no environment variables or credentials despite needing access to multiple external platforms. The lack of declared required credentials is disproportionate to the stated functionality and leaves unclear how the skill will obtain or store account tokens/passwords.
Persistence & Privilege
always is false and there is no indication the skill modifies other skills or requests long‑lived platform access in its manifest. No automatic permanent privileges are declared.
What to consider before installing
This skill's description claims it will post and gather stats on multiple platforms, but the manifest contains no code, no install steps, and no required credentials — which is inconsistent because posting requires platform authentication. Before installing or using it, ask the publisher for: (1) a source repository or homepage and contact information; (2) exact authentication method (OAuth, API keys, where tokens are stored, and whether the skill will ask you to paste credentials); (3) the API endpoints or SDKs it will call; (4) privacy/data‑retention and billing details. Do not provide full account passwords; prefer limited-scope API tokens or OAuth app authorization. If you must test it, use throwaway accounts or sandbox credentials and verify what network endpoints the agent calls. Because the skill is vague about credentials and behaviour, treat it as untrusted until the above questions are answered.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cwgh8yn1cafbkbb655yhtpn83kdkf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
OSWindows · macOS · Linux

Comments