ClawHub

Neckr0ik Socialposter

v1.0.0

Automate social media posting across Twitter, LinkedIn, Facebook, Instagram. Schedule posts, track engagement, auto-reply. Use when you need to manage social...

0· 195·2 current·2 all-time
by@neckr0ik
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes a full-featured CLI (neckr0ik-socialposter), references scripts (scripts/social.py) and reference docs, and explains how to set API credentials for Twitter/LinkedIn/etc., but the published skill contains no code files, no binaries, no install spec, and declares no required environment variables. A social-posting skill would normally include either an install step, a packaged binary/library, or explicit requirements for API credentials — those are missing here.
!
Instruction Scope
The runtime instructions expect the agent/user to run a local CLI, manage configuration, and manipulate local files (e.g., ${day}-content.txt, replies.yaml, references/*). There are no instructions that tell how to obtain or install that CLI or how the agent should handle OAuth flows. The instructions do not ask the agent to read unrelated system secrets, but they assume access to local files and a CLI that are absent from the package.
!
Install Mechanism
There is no install specification and no shipped code. Yet SKILL.md references an executable and scripts. This mismatch means the skill cannot function as described out of the box and could mislead an agent into attempting to run commands that do not exist. Absence of an install mechanism when one is clearly needed is a red flag.
!
Credentials
The documentation shows the skill requires platform API keys/tokens (twitter.api_key, twitter.api_secret, linkedin.access_token) and persistent configuration, but the registry metadata declares no required environment variables or primary credential. The skill should have declared what secrets it needs and how it expects them to be supplied; the omission is inconsistent and could confuse users about where to provide sensitive credentials.
Persistence & Privilege
The skill does not request always:true, does not declare system-wide config modifications, and is not forcing autonomous inclusion. No elevated persistence or cross-skill modification is indicated in the metadata.
What to consider before installing
This package looks incomplete or improperly published: the SKILL.md expects a local CLI, scripts, and API credentials, but the skill bundle contains no code, no install instructions, and declares no required credentials. Before installing or using it, ask the publisher for: (1) the source code or a trustworthy homepage, (2) a clear install method (package/binary or repository), (3) an explanation of how credentials are handled (OAuth vs. direct tokens) and what exact env vars/permissions are needed, and (4) the referenced files (scripts/social.py, references/*). Do not supply API keys or tokens to this skill until you can verify its code and origin. If you can't obtain those assurances, avoid using it or only run it in an isolated/test environment with throwaway accounts.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fr27pajdyrj3ptqmea1wywn82e7nz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments