Social Listening Monitoring
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a legitimate social-listening guide, but it relies on external scraping, API credentials, webhooks, and likely scheduled monitoring that users should configure carefully.
Before installing or copying the examples, decide exactly which brands and competitors to monitor, protect all API keys and webhook URLs, pin npm dependencies, confirm the scraping complies with platform rules, and make sure any scheduled monitor has a clear stop and cleanup process.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or manipulative public post could distort sentiment analysis, crisis classification, or generated reply drafts if prompts are not isolated.
The model is expected to process arbitrary scraped social-media text and generate analysis or draft responses. That content should be treated as untrusted input, not as instructions.
Claude (OpenClaw) analyzes sentiment, detects crises, and classifies each mention ... Response Generator → suggested reply drafts
Treat scraped mentions as quoted data, add prompt-injection guardrails, and require human review before publishing any response.
The monitor may collect public posts and profile metadata at scale, which can raise platform terms-of-service, privacy, or rate-limit issues.
The skill documents automated scraping of social platforms and collection of public author metadata. This is central to the stated purpose, but it is a broad external data-collection capability.
apify.actor("apify/twitter-scraper").call({ searchTerms: BRAND_CONFIG.keywords, maxTweets: 100, addUserInfo: trueLimit keywords and competitors to the intended monitoring scope, respect platform and Apify terms, and keep rate limits and retention periods conservative.
If these secrets are exposed, someone could consume API quota or post alerts to the configured Slack or Telegram destination.
The setup asks the user to provide third-party API keys and webhook credentials. These are expected for the integration, with no artifact evidence of credential leakage or unrelated use.
export APIFY_TOKEN=apify_api_xxxxxxxxxxxxxxxx ... export CLAUDE_API_KEY=sk-ant-xxxxxxxxxxxxxxxx ... export SLACK_WEBHOOK_URL=https://hooks.slack.com/services/xxx/xxx/xxx ... export TELEGRAM_BOT_TOKEN=123456789:AABBccDDeeFFggHH
Use environment variables or a secrets manager, avoid committing tokens, rotate tokens if exposed, and use the least privilege available for each provider.
Future package changes or a compromised dependency could affect the monitoring system if installed without review.
The skill instructs users to install public npm packages without pinned versions or a lockfile. This is common for example setup, but dependency provenance and version drift matter.
npm install apify-client axios node-cron dotenv
Pin package versions, generate and review a lockfile, and install from a trusted npm registry.
Brand-monitoring data, negative-mention alerts, or generated analysis could be visible to anyone with access to the configured channel.
The skill sends monitoring results and crisis alerts to external communication channels. This is purpose-aligned, but the destination and channel access controls matter.
Alerts fire instantly to Slack, Telegram, or email when reputation risk is detected
Send alerts only to approved private channels, protect webhook URLs and bot tokens, and avoid including unnecessary sensitive business context in alerts.
A monitor left running could continue scraping, consuming API quota, and sending alerts after the immediate task is over.
The described workflow and node-cron dependency imply scheduled or long-running monitoring. This is disclosed and fits the purpose, but it should remain under user control.
real-time brand reputation monitoring system ... Alert immediately ... Generate weekly reputation reports ... npm install apify-client axios node-cron dotenv
Run it only under an explicit scheduler, document how to stop it, and define retention and cleanup for generated reports.