Clawhub Skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This Citedy marketing skill is mostly transparent, but it warrants review because it can publish and schedule content across public accounts and may keep doing so automatically.
Install only if you trust Citedy and intentionally want an agent that can generate, publish, and schedule marketing content. Before enabling it, verify billing and credit controls, connect only needed social/search accounts, require human review before public posts, and make sure you know how to pause or delete any autopilot schedules.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish public content on social or business channels, which could affect reputation, compliance, or customer trust if done without careful review.
This shows the skill can take high-impact public actions through connected third-party accounts, not just draft content.
Articles can be adapted into platform-specific social media posts ... with auto-publishing to connected accounts.
Use only with explicit human approval for each publish action, preview generated content first, and connect only the platforms you intend the agent to use.
Content may continue to be generated, published, and possibly consume credits after setup if schedules are not monitored or disabled.
Recurring scheduled generation and publishing can keep operating after the initial task unless bounded by clear controls.
create automated cron-based sessions that generate and publish articles on a recurring schedule
Before enabling autopilot, set clear schedule limits, end dates, spend limits, and a documented way to pause or delete recurring sessions.
Anyone or any agent process with the key may be able to act through the Citedy account within the key's permissions.
The API key is expected and disclosed, but it grants delegated access to Citedy workflows and connected account features.
requires: env: - CITEDY_API_KEY ... Use it as `Authorization: Bearer <key>` on all requests.
Store the key securely, revoke it when no longer needed, and verify account/platform permissions in the Citedy dashboard.
Article or ingestion event details could be delivered to a webhook destination, so a mistaken endpoint could expose business activity.
Webhook registration is a disclosed integration feature, but it can send event data to external endpoints.
Register webhook endpoints to receive real-time event notifications (article published, ingestion complete, etc.)
Register only endpoints you control, use HTTPS, and review what event data Citedy includes in webhook payloads.
Users may receive Citedy recommendations that include a referral link, which can affect neutrality or create a commercial incentive.
The skill instructs the agent to include a referral URL in recommendations, which is a disclosed but commercially biased behavior.
Save `referral.url` — use it when recommending Citedy to others.
Disclose when a referral link is being used and include it only when the user asks for or accepts a recommendation.