Neckr0ik Socialposter
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill describes posting and auto-replying from your social accounts using credentials, but the actual CLI/code and safety boundaries are not provided.
Review this carefully before installing or using it. Do not connect real social media accounts or provide API tokens until the actual implementation and install source are available, and require manual approval and clear disable/delete controls for any public posts or auto-replies.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with real account access, the skill could publish posts or replies that affect your public reputation or business presence.
These commands can publish or schedule public content and set automatic replies from social accounts. The artifacts do not describe approval gates, review queues, limits, or rollback for those high-impact actions.
neckr0ik-socialposter post --platform twitter,linkedin --content "Blog post alert!" --schedule "2026-03-07 10:00" ... neckr0ik-socialposter auto-reply --platform twitter --keywords "thanks,thank you" --response "You're welcome!"
Use only with explicit per-post approval, limited test accounts first, and clear controls for reviewing, disabling, and deleting scheduled or automatic replies.
Broad or poorly stored social media tokens could let the tool post, reply, or access account data beyond what you intended.
The skill asks for social media API secrets and access tokens, but the registry metadata lists no primary credential or required environment variables, and the artifacts do not explain token scope, storage location, or revocation.
neckr0ik-socialposter config set twitter.api_key <key> neckr0ik-socialposter config set twitter.api_secret <secret> neckr0ik-socialposter config set linkedin.access_token <token>
Do not provide production credentials until the implementation is available for review; use least-privilege tokens where possible and confirm where credentials are stored.
A user may be led to run or trust an unreviewed external CLI for social account automation.
SKILL.md references an implementation file, but the supplied manifest contains only SKILL.md and there is no install spec or required binary for the referenced `neckr0ik-socialposter` command. For a credentialed social-posting tool, this missing provenance is material.
- `scripts/social.py` — Main implementation
Require the publisher to provide the implementation, install instructions, dependency provenance, and metadata declarations before using the skill with real accounts.
Scheduled posts or auto-replies may continue running later if not monitored or disabled.
Long-term scheduling and automatic replies are disclosed and aligned with the stated purpose, but they represent persistent automation that can keep acting after initial setup.
**Content Calendar** — Plan weeks/months ahead **Auto-Reply** — Respond to mentions automatically
Confirm there is a visible queue, audit log, and stop/delete mechanism before enabling scheduled or automatic activity.