Hacker News Poster
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: hacker-news-poster Version: 1.0.5 The skill is classified as suspicious primarily due to the explicit plaintext storage of Hacker News session cookies in `~/.hn_cookies.txt` (or a configurable path via `HN_COOKIE_FILE`), as detailed in `SKILL.md` and implemented in `scripts/hn.py`. While this behavior is openly disclosed as a 'Security Note' and is intended for session persistence, it represents a significant vulnerability where session tokens could be exposed if the local filesystem is compromised. There is no evidence of malicious intent such as data exfiltration to unauthorized endpoints, arbitrary code execution, persistence mechanisms, or prompt injection attempts against the agent to perform actions beyond the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or enabling the skill gives the agent a path to use your Hacker News account and keep a reusable login session on disk.
This shows the skill needs Hacker News account credentials and persists an authenticated session, while the supplied registry metadata lists no required env vars and no primary credential.
Requires HN_USERNAME and HN_PASSWORD environment variables. Persists session cookies to ~/.hn_cookies.txt
Declare the HN credential and cookie file in metadata, store cookies with restrictive permissions, prefer environment variables over command-line passwords, and delete the cookie file when done.
If invoked with the wrong text, target item, or profile data, the agent could publicly post or modify content under your HN account.
These are intended capabilities, but they mutate public Hacker News content or account profile data.
Submit stories, comment on threads, edit comments, and update profiles on Hacker News.
Only use after reviewing the exact title, URL/text, parent/comment ID, or profile bio, and consider requiring explicit confirmation before posting.
A user following the standalone instructions later could fetch code that differs from the reviewed registry artifact.
The standalone install example downloads from a moving main branch rather than a pinned release or checksum. It is optional and not an automatic install step.
curl -O https://raw.githubusercontent.com/frostai-lab/hacker-news-poster/main/scripts/hn.py
Prefer installing the reviewed registry package or provide a pinned release URL and checksum for standalone downloads.