Distribution Agent — Publisher Pack
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only social publishing skill is coherent and disclosed, but real/public publishing, cross-post defaults, and optional API tokens should be used only with explicit user approval.
This looks like a benign instruction-only publishing helper. Before installing or using it with real accounts, keep it in mock/dry-run, review any separate API server or worker code, use least-privilege publisher tokens, and explicitly confirm every platform and cross-post destination.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If real mode is connected to social accounts, a publish action could create public posts.
The skill explicitly supports a real publishing route, which is purpose-aligned for a publisher pack but can mutate social accounts if enabled.
Publisher router (dry_run / mock / real)
Keep mock or dry-run as the default, and require an explicit user confirmation before switching to real publishing.
A user intending to publish only on Instagram could also post to connected Threads or Facebook accounts if the real publisher honors these defaults.
The Instagram template defaults to syncing to Threads and Facebook, so one publish action may propagate across additional platforms.
"sync_threads": true,
"sync_facebook": trueMake cross-posting opt-in or confirm each destination platform before publishing in real mode.
Publisher tokens can grant access to social accounts, so over-scoped or mishandled tokens could affect account security.
The skill contemplates API tokens for real publishing, which is expected for social integrations, but the artifacts do not define specific token scopes or env var names.
Never commit API tokens to the repo - Use environment variables / .env
Use least-privilege tokens, store them outside shared repositories, and avoid enabling real mode until credential scope is understood.
Any Redis/API/worker implementation used with this skill would need a separate review because its behavior is not visible here.
The instructions refer to runtime components, but the supplied package contains only documentation files and no install spec or code for those components.
Start Redis 2) Start API server (FastAPI) 3) Start worker 4) POST /publish
Before running any external server or worker for real publishing, inspect its source, dependencies, credentials, and logging behavior.