Social Media Autopilot
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill largely matches its social-media purpose, but its scripts handle post text and post IDs unsafely, which could let crafted inputs run local code or alter files while using powerful social-media posting tokens.
Review or fix the scripts before using this skill with real accounts. If you proceed, use least-privilege social-media tokens, keep auto_approve disabled, only add cron jobs deliberately, review drafts before approval, and avoid passing untrusted post text or post IDs until the input handling is hardened.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or untrusted post draft could run local commands when the agent creates a draft.
The user-supplied post text is inserted directly into Python source code inside a python3 -c command. Crafted text containing Python string delimiters could break out of the string and execute local Python code as the user running the script.
--text) TEXT="$2"; shift 2 ;;
...
"text": $(python3 -c "import json; print(json.dumps('''$TEXT'''))"),Do not interpolate post text into python3 -c source. Pass data via argv, stdin, or a temporary JSON file, and validate/escape inputs before writing draft JSON.
A crafted post ID using path traversal could cause the script to read, move, or delete JSON files outside the intended drafts folder if the file has the expected structure.
The post ID argument is used directly to construct a file path and later delete that path, with no UUID/basename validation or check that the resolved path remains inside the drafts directory.
POST_ID="${1:-}"
DRAFT_FILE="$DRAFTS_DIR/$POST_ID.json"
...
rm "$DRAFT_FILE"Restrict post IDs to generated UUIDs or safe basenames, reject slashes and '..', resolve paths with realpath, and confirm the resolved file is inside the intended workspace before reading or deleting it.
Anyone or any agent process with these tokens may be able to post publicly as the connected account, depending on token scope.
These credentials grant delegated access to publish or manage content on social-media accounts. That access is expected for this skill, but it is high-impact.
X API v2 credentials (`X_BEARER_TOKEN`, `X_API_KEY`, `X_API_SECRET`, `X_ACCESS_TOKEN`, `X_ACCESS_SECRET`) - **LinkedIn:** `LINKEDIN_ACCESS_TOKEN` - **Instagram:** `INSTAGRAM_ACCESS_TOKEN` + `INSTAGRAM_BUSINESS_ID`
Use least-privilege tokens, dedicated apps/accounts where possible, store tokens securely, rotate/revoke them when no longer needed, and review every post before approval.
Approved or auto-approved posts may be published later in the background, including at times when the user is not actively watching.
The skill supports persistent scheduled operation and an optional approval-bypass setting. This is disclosed and purpose-aligned, but it can keep acting after the initial user interaction.
Add to OpenClaw cron for automated workflows: - **Publish scheduled posts:** Check `calendar.json` every 15 min, publish any due approved posts ... **Never auto-publish without explicit approval** unless the user has configured `auto_approve: true`
Only enable cron or auto_approve intentionally, keep auto_approve false by default, and periodically review the calendar and published archive.