Buffer Publisher
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Buffer publishing skill, but it can use a Buffer API key to post immediately to public LinkedIn/X accounts without a clear approval guardrail in the provided instructions.
Install only if you trust the skill owner and intend this agent to help publish to the named Buffer-connected LinkedIn/X channels. Before use, require an explicit confirmation step for the final content, channel, and timing, and tightly restrict access to the Buffer API key.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following this skill could publish or schedule public posts to the connected LinkedIn/X accounts if it has the Buffer key, which could cause reputational or business impact if the content, channel, or timing is wrong.
The documented workflow performs a direct Buffer createPost mutation that can immediately publish to a connected public social channel; the provided instructions do not show a mandatory final approval step before this high-impact action.
## Publish Immediately (shareNow) ... mutation CreatePost($input: CreatePostInput!) ... "mode": "shareNow" ... "https://api.buffer.com/graphql"
Require explicit user approval of the final post text, target channel, and publish time before any createPost call, and prefer a review/scheduling workflow over immediate publishing unless the user clearly requests shareNow.
Anyone or any agent with access to that credential can potentially publish through the connected Buffer account.
The skill uses a 1Password-stored Buffer bearer token to act on connected social channels. This is expected for the stated purpose, but it is sensitive delegated account access.
API key: `op://OpenClaw/Buffer API Credentials/credential` ... Auth header: `Authorization: Bearer <key>` ... Connected Channels ... LinkedIn ... Twitter/X
Limit access to the 1Password item, use the least-privileged Buffer credential available, rotate it if exposed, and log or review all posts made through this skill.
Users have less independent evidence that the skill instructions come from the claimed owner or are maintained through a trusted source.
The registry does not provide a source repository or homepage, limiting provenance verification for a skill that instructs use of a publishing credential.
Source: unknown; Homepage: none
Verify the owner and intended use out-of-band before granting access to the Buffer credential or using it on official social channels.