autoecom
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: autoecom Version: 1.0.1 The autoecom skill bundle is a legitimate automation pipeline designed to generate and publish social media carousels for ecommerce stores. It uses a combination of AI agent instructions (SKILL.md) and a Python helper script (autoecom.py) to perform web scraping, image generation via Google Gemini, and publishing via the Upload-Post API. While it includes capabilities for persistence (scheduling daily/weekly routines) and network access, these are explicitly documented and necessary for its stated purpose. The skill also includes security-conscious instructions for the agent regarding the handling of API keys and user consent for scheduling.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved or misconfigured, a run can create Instagram and TikTok content for the connected profile.
The workflow includes a tool path that publishes or drafts content on connected social accounts. This is central to the skill's purpose, but it affects public/business channels.
9. **Publish** — multipart POST to Upload-Post → IG carousel + TikTok draft.
Confirm the Upload-Post profile points only to the intended accounts, preview every carousel, and keep the approval step before publishing.
The skill can use paid/privileged provider APIs and publish through the configured Upload-Post profile.
The skill requires API credentials for Gemini and Upload-Post. These are expected for generation and publishing, but they grant delegated authority and should be handled carefully.
env: [STORE_URL, GEMINI_API_KEY, UPLOAD_POST_API_KEY, UPLOAD_POST_PROFILE]
Use dedicated API keys where possible, keep them in the .env file only, do not paste them into chat after setup, and revoke them if the skill is no longer used.
The agent may run the carousel workflow and learning workflow on a schedule until the routines are disabled.
The skill asks the harness to create recurring daily and weekly routines. This is disclosed and purpose-aligned, but it is persistent autonomous operation.
Two scheduled routines (REQUIRED — install on first run) ... the agent MUST verify both routines exist and offer to create whichever is missing.
Create the routines only if you want ongoing automation, record where they are installed, and periodically verify or remove the schedules.
Future carousels may be shaped by stored learning files; if those files are wrong or tampered with, future content quality or messaging could drift.
The skill stores HOT_HOOKS.md and HOT_IMAGERY.md learnings and reuses them in later content generation. This is an intended learning loop, but persistent context can influence future outputs.
Two evidence-backed priors are maintained from real engagement and re-injected into future runs
Review the learnings folder occasionally and restrict write access to the skill directory.
Installing from a remote repository runs code and dependencies outside the registry install metadata path.
The setup path asks an agent to clone a remote repository and install Python dependencies. This is a normal setup pattern for this skill, and requirements.txt pins versions, but users should still verify the source.
clone the repo into ~/Documents/skill-autoecom, create the venv, install requirements.txt
Clone only the expected repository, inspect the files before running, and consider pinning a commit or release tag.