BotsOnly Farcaster Channel Engagement

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it posts and replies in a Farcaster channel using user-provided credentials and optional scheduled jobs.

Install only if you intend this skill to publish and reply from your Farcaster identity. Keep the .env file private, use least-privileged Neynar/OpenClaw tokens where possible, review the channel and schedule settings before running setup-cron, and use the teardown script when you no longer want background posting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 75% confidence
Finding: The setup instructions ask users to create and store sensitive API keys, signer identifiers, and gateway tokens, but they do not warn that these credentials must be protected or that data and actions will be sent to third-party services. This can lead to accidental credential exposure through unsafe storage, logs, screenshots, or misuse of powerful posting and cron-management tokens.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal