Вконтакте - публикация постов, фото и видео. Диалоги с посетителями. NodeJS
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill appears to perform VK community management as described, but it asks for a broad permanent VK User Token and leaves powerful API actions insufficiently scoped.
Install only if you are comfortable granting VK account/community authority to this skill. Prefer a narrowly scoped, revocable token, avoid permanent offline tokens when possible, and require explicit confirmation before posting, sending messages, marking messages read, or using raw VK API calls.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A token with these scopes could let the agent, or anyone who obtains the token, read/send messages and manage community content until the token is revoked.
The documentation asks for a long-lived user credential with broad admin-level VK scopes, including message access and content-management authority beyond simple posting.
User Token ... Дает полные права администратора ... редактировать и удалять любые записи. ... scope: `wall,groups,photos,video,messages,offline`.
Use a dedicated account or community/app token with the smallest needed scopes, avoid `offline` unless truly necessary, keep the token out of shared shells/logs, and revoke it after use.
An agent could call VK methods outside the intended workflow, potentially changing or deleting community/account data if the token allows it.
This gives a raw VK API escape hatch that is not limited to the documented CLI commands or safe methods, especially risky when paired with the broad User Token the skill recommends.
If the CLI doesn't support a specific method, you can use `fetch` in Node.js or `curl`: `curl "https://api.vk.com/method/METHOD_NAME?access_token=TOKEN&v=5.131&PARAM1=VALUE1"`
Restrict use to the documented CLI commands unless the user explicitly provides the exact VK method and parameters, and require confirmation for posting, deletion, messaging, or other account-changing actions.
During a polling session, new messages may be marked read automatically and the process may keep listening longer than expected.
The polling command is an intentional real-time monitoring feature, but it runs until stopped unless a wait limit is supplied and can automatically mark incoming messages as read.
while (true) { ... if (markRead === '1') { await callVk('messages.markAsRead', { peer_id: msg.peer_id }, token); }Use the optional `wait_seconds` limit, avoid `mark_read=1` unless desired, and stop the process when monitoring is no longer needed.