Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Postavel
v1.5.0Connect to Postavel social media management platform via MCP (Model Context Protocol). Create, schedule, and manage social media posts across Facebook, Insta...
⭐ 0· 528·0 current·0 all-time
byVladimir Nikolic@nezaboravi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the actions requested: the skill connects to Postavel via MCP, uses an MCP client (mcporter), and lists/creates/schedules posts. No unrelated credentials, binaries, or behaviors are requested.
Instruction Scope
SKILL.md stays within the stated purpose: it instructs installing/configuring mcporter, running OAuth in the browser, and then calling Postavel MCP operations. It does not ask the agent to read unrelated system files or exfiltrate data. The instructions do include an inline curl | bash installer and commands that run mcporter and write ~/.config/mcporter/postavel.json (expected for this integration).
Install Mechanism
No package is forced by the skill itself (instruction-only), but the docs and scripts recommend installing mcporter via Homebrew/npm or a direct download from GitHub releases. SKILL.md also suggests running curl -fsSL https://postavel.com/install-mcp | bash — a convenient but higher-risk pattern. The included scripts mirror the same steps, and direct downloads point to GitHub releases (reasonable).
Credentials
The skill declares no required env vars or credentials. Reference docs mention optional MCPORTER_POSTAVEL_* env vars for convenience, which are proportionate to an MCP client. OAuth tokens are stored locally under ~/.config/mcporter as described — expected for this flow.
Persistence & Privilege
always:false and no attempt to modify other skills or system-wide agent settings. The skill writes a mcporter config into the user's ~/.config/mcporter/ (normal for this client) and launches an OAuth flow. This is expected and proportionate.
Assessment
This skill appears coherent for connecting an AI assistant to Postavel via an MCP client. Before installing: (1) verify that https://postavel.com is the legitimate service you expect; (2) prefer running the included local script (~/.openclaw/workspace/skills/postavel/scripts/setup-mcp.sh or scripts/install-mcp.sh) after inspecting it instead of piping a remote URL directly to bash; (3) avoid running installation commands with sudo unless required and inspect any binary downloaded to /usr/local/bin; (4) be aware the flow opens your browser for OAuth and stores tokens in ~/.config/mcporter — you can revoke access later from Postavel settings; (5) if uncertain about mcporter, install it from its official upstream (Homebrew, npm, or GitHub releases) instead of a site-hosted installer.Like a lobster shell, security has layers — review code before you run it.
latestvk97963dbqd7qv7rw5zjp18etw981vczymcpvk97963dbqd7qv7rw5zjp18etw981vczysocial-mediavk97963dbqd7qv7rw5zjp18etw981vczy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.