ClawHub

Distribution Agent — Publisher Pack

v1.0.0

Turn 1–9 images into platform-specific captions + mood-matched music hints, then route to mock/dry-run/real publishers with publish logs.

0· 250·0 current·0 all-time
byMiLab@milab-bit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise includes routing to mock/dry-run/real publishers and producing publish logs, but the package is instruction-only (no code, no install, no required env vars or credentials). The SKILL.md even tells operators to start Redis, a FastAPI server, and a worker, yet no implementation or install spec is provided. If the skill actually performs real publishing, it would plausibly need platform API tokens and integration code — those are absent, which is an incoherence.
Instruction Scope
The SKILL.md and PROMPTS focus on generating strict JSON publish packs and music hints (return JSON only, no tokens). That is internally consistent for a prompt-only caption/music generator. However, the runtime 'How to run (local)' references running services (Redis, FastAPI, worker, POST /publish) that lie outside the skill bundle; that suggests either missing implementation or expectation the user will wire up external components. There are no instructions that explicitly read unrelated files or exfiltrate secrets, but the implicit need for platform credentials for 'real' publishing is not spelled out.
Install Mechanism
No install spec or code files are included — lowest installation risk. Because nothing is fetched or written by an installer, there is no install-time risk in the provided bundle itself.
!
Credentials
The skill mentions using environment variables and warns not to commit tokens, yet requires no env vars and declares no primary credential. Real publishing to social platforms normally requires OAuth tokens or API keys; the absence of any declared credential requirements while claiming 'real' publishing is a red flag and may hide where/when credentials would be used if a separate adapter were added.
Persistence & Privilege
The skill does not request persistent presence (always: false) and is user-invocable. It does not attempt to modify other skills or system-wide config. Autonomous invocation is allowed by default, which is normal; it does not amplify other privilege concerns here.
What to consider before installing
This bundle is primarily a prompt + template library for generating platform-specific captions and music hints; that part appears coherent. However, the skill also claims to route to 'mock/dry_run/real' publishers and instructs running Redis/FastAPI/worker but includes no code, install steps, or any declared API credentials. Before installing or running with real accounts: 1) ask the publisher for the source repository or implementation that performs publishing and review that code; 2) do not provide platform API tokens or OAuth secrets until you can inspect where they will be stored and used; 3) if you only need caption/music generation, use the prompts in a local, read-only way (no credentials); 4) if you plan to run the 'real' publisher, require a clear install spec, explicit required env vars, and a security review of any service that will hold credentials. Providing those items (repo/install/code and justified env vars) would increase confidence that the skill is safe to use as advertised.

Like a lobster shell, security has layers — review code before you run it.

latestvk975rj2bdd0ep7r019mj9604en8279r3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments