ClawHub

agent-Postmoore

v1.0.0

Autonomously post, schedule, upload media, save drafts, and manage content across Instagram, TikTok, YouTube Shorts, LinkedIn, Facebook, Threads, and Bluesky...

0· 36·0 current·0 all-time
byOmaano Tetteh@rkotchamp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description, SKILL.md, and the included CLI script all align: this is a Postmoore client for uploading and scheduling social posts. The required credential (POSTMOORE_API_KEY) and optional use of ffmpeg for extracting video frames are consistent with the stated purpose. Minor incoherences: the registry summary at the top of the package metadata lists no required env vars and no homepage, while SKILL.md declares POSTMOORE_API_KEY and a homepage (https://postmoo.re). That mismatch is likely an authoring/registry metadata error, not malicious.
Instruction Scope
SKILL.md instructs the agent to upload files, call the Postmoore API endpoints, and (for video) run ffmpeg to extract a frame. The included script reads/writes user config files (~/.config/postmoore/config.json and .postmoore/config.json) to store an API key and reads media files to upload. Those file reads/writes are coherent with the skill's purpose. There are no instructions to read unrelated system files or to send data to unexpected external endpoints beyond postmoo.re/storage endpoints described in the docs.
Install Mechanism
This is instruction-only plus a single CLI script; there is no install spec that downloads/extracts arbitrary archives or runs installers. No high-risk install behavior was found.
Credentials
The only secret the skill needs is POSTMOORE_API_KEY (declared in SKILL.md metadata and used in code). The code supports reading the key from env or from config files. This is proportionate, but be aware the CLI writes the key to a local or global config file by default (global ~/.config/postmoore/config.json) which may be a privacy risk in shared environments.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or global agent settings. It only persists its own config in user paths (expected behavior for a CLI client).
Assessment
This skill appears to do what it says: it needs a Postmoore API key and will upload media files and call postmoo.re endpoints. Before installing: (1) Verify the service domain (https://postmoo.re) and that you trust Postmoore; (2) Prefer providing the API key via environment variable rather than writing it to a global config file if you are on a shared machine; (3) If you will use video features, install ffmpeg and ensure you consent to the agent being asked for file paths (the skill will read the specified media files to upload); (4) Note the package registry metadata omitted the declared POSTMOORE_API_KEY/homepage — this is likely a metadata error but you may want to confirm the publisher identity and the homepage; (5) Use a scoped or revocable API key (if the service supports it) so you can revoke access if needed.

Like a lobster shell, security has layers — review code before you run it.

latestvk975jd2s5xnrrvp5j194cqmep984x2wm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments