Openclaw Social Scheduler
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its social-scheduling purpose, but it appears to ship with exposed social-media tokens and unclear credential persistence, so it needs review before use.
Review the code before installing. Do not use bundled credentials; remove and rotate any hardcoded tokens, provide your own credentials through protected config/env storage, avoid raw API keys in command lines, and only run the scheduler daemon when you expect it to post.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these are real tokens, the package may expose or use social-media credentials that do not belong to the installing user, enabling account abuse or unintended posting authority.
The static scan reports a hardcoded access token in a platform posting module; similar exposed-secret findings are also reported for Twitter, test, and media-upload scripts.
access_token: [REDACTED],
Do not use until all embedded secrets are removed and rotated; require credentials to be supplied by the user through clearly declared config or environment variables.
Webhook URLs, API keys, scheduled content, or account references could remain on disk and be reused later by the daemon or exposed to other local users/tools.
The documented scheduler persists queued jobs and examples pass secret-like webhook/config values into scheduled commands, but the artifacts do not explain how those values are protected or cleaned up.
💾 **Persistent queue** (survives restarts) ... social-schedule add discord WEBHOOK_URL "Posted in the future!"
Avoid passing raw secrets on the command line; use protected config files or environment variables, inspect the queue storage, and document retention and cleanup behavior.
A mistaken or unauthorized invocation could post public content, media, comments, or threads from connected accounts.
The skill is explicitly designed to publish content across multiple external accounts and can do so automatically after scheduling.
Schedule posts to Discord, Reddit, Twitter/X, Mastodon, Bluesky, and Moltbook ... **Automatic posting** via scheduler daemon
Use least-privileged platform tokens, review content before scheduling, and require user approval before any live post or media upload.
Posts may be published later even after the original interaction, if the daemon is left running.
The scheduler includes a daemon mode that continues checking and publishing queued posts after the initial command.
node scripts/schedule.js daemon
Run the daemon only when intended, monitor the queue with the list/cancel commands, and stop the process when scheduling is no longer needed.
Users may install and run dependencies that were not surfaced in the registry metadata.
The skill relies on Node/npm dependencies even though the registry install metadata does not declare an install spec or required binaries.
cd skills/social-scheduler npm install
Install from a trusted source, review package.json/package-lock.json, and ensure Node/npm setup is explicitly declared before publication.