ClawHub

Post See Social Scheduler

v1.0.0

Turn your OpenClaw into an autonomous social media manager using the Post See API. Use when scheduling, posting, or managing content across Instagram, Linked...

0· 65·0 current·0 all-time
byKishan@makani20
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, code, and runtime instructions align with a Post See API social scheduler: the only required credential is POST_SEE_API_KEY and ffmpeg is justified for optional local-video frame extraction. Minor inconsistency: the bundle contains Node 18+ CLI scripts (actions/*.js) and skill.json documents Node as the runtime, but the top-level requirements list provided to the registry only names ffmpeg (Node is not listed as a required binary). This is likely benign (the platform may supply Node), but you should expect Node 18+ if you plan to run the included scripts locally.
Instruction Scope
SKILL.md instructs only API usage against https://api.post-see.com, local ffmpeg for optional frame extraction, and uses workspace/account IDs returned by the API. It does not instruct reading arbitrary system files or exfiltrating unrelated secrets. It does warn agents may read workspace files and that media must be hosted at public HTTPS URLs.
Install Mechanism
No install/download spec is present (instruction-only install). The package includes source files but does not fetch arbitrary external archives or run an installer; there are no unknown download URLs or extract steps.
Credentials
Only POST_SEE_API_KEY is required (with optional POST_SEE_WORKSPACE_ID and POST_SEE_TIMEZONE). These map to the described API usage and are proportionate to scheduling/publishing functionality.
Persistence & Privilege
The skill is not force-installed (always: false) and does not request system-wide configuration or other skills' credentials. It can be invoked autonomously by the agent (platform default), which is expected for this type of integration.
Assessment
This skill appears to do what it claims, but check a few practical things before enabling it: (1) Only provide a least-privilege POST_SEE_API_KEY and test in a sandbox workspace first; keys like this can publish on your connected accounts. (2) If you plan to run the bundled Node CLIs, ensure Node 18+ is available locally (the registry metadata did not explicitly list Node). (3) Be cautious about using local files — the skill suggests hosting media at public HTTPS URLs; making media public can leak content. (4) Revoke the API key if you suspect exposure, and avoid committing keys into repos or .env files that get shared. If you want extra assurance, inspect/approve network endpoints and review the Post See account permissions for the API key before granting access.
actions/post-see-client.js:10
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a2fp7ddw6n6e00wty1tdg4s83q6kj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsffmpeg
EnvPOST_SEE_API_KEY
Primary envPOST_SEE_API_KEY

Comments