Skillv1.0.0

ClawScan security

agent-Postmoore · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 12:02 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement exactly the social-posting functionality it claims (uses a Postmoore API key, uploads media, schedules posts) with no obvious hidden endpoints or extraneous credentials, though there are small metadata mismatches and a few privacy notes to consider.
Guidance: This skill appears to do what it says: it needs a Postmoore API key and will upload media files and call postmoo.re endpoints. Before installing: (1) Verify the service domain (https://postmoo.re) and that you trust Postmoore; (2) Prefer providing the API key via environment variable rather than writing it to a global config file if you are on a shared machine; (3) If you will use video features, install ffmpeg and ensure you consent to the agent being asked for file paths (the skill will read the specified media files to upload); (4) Note the package registry metadata omitted the declared POSTMOORE_API_KEY/homepage — this is likely a metadata error but you may want to confirm the publisher identity and the homepage; (5) Use a scoped or revocable API key (if the service supports it) so you can revoke access if needed.

Review Dimensions

Purpose & Capability: noteThe name/description, SKILL.md, and the included CLI script all align: this is a Postmoore client for uploading and scheduling social posts. The required credential (POSTMOORE_API_KEY) and optional use of ffmpeg for extracting video frames are consistent with the stated purpose. Minor incoherences: the registry summary at the top of the package metadata lists no required env vars and no homepage, while SKILL.md declares POSTMOORE_API_KEY and a homepage (https://postmoo.re). That mismatch is likely an authoring/registry metadata error, not malicious.
Instruction Scope: noteSKILL.md instructs the agent to upload files, call the Postmoore API endpoints, and (for video) run ffmpeg to extract a frame. The included script reads/writes user config files (~/.config/postmoore/config.json and .postmoore/config.json) to store an API key and reads media files to upload. Those file reads/writes are coherent with the skill's purpose. There are no instructions to read unrelated system files or to send data to unexpected external endpoints beyond postmoo.re/storage endpoints described in the docs.
Install Mechanism: okThis is instruction-only plus a single CLI script; there is no install spec that downloads/extracts arbitrary archives or runs installers. No high-risk install behavior was found.
Credentials: noteThe only secret the skill needs is POSTMOORE_API_KEY (declared in SKILL.md metadata and used in code). The code supports reading the key from env or from config files. This is proportionate, but be aware the CLI writes the key to a local or global config file by default (global ~/.config/postmoore/config.json) which may be a privacy risk in shared environments.
Persistence & Privilege: okThe skill does not request 'always: true' and does not modify other skills or global agent settings. It only persists its own config in user paths (expected behavior for a CLI client).