ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xanadu Social Media Manager

v1.2.0

Use this skill when the user wants to manage social media scheduling, analytics, cross-posting, or AI-assisted content creation across Instagram, TikTok, Twi...

0· 367·1 current·1 all-time
by@saintlittlefish

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for saintlittlefish/xanadu-social-manager.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Xanadu Social Media Manager" (saintlittlefish/xanadu-social-manager) from ClawHub.
Skill page: https://clawhub.ai/saintlittlefish/xanadu-social-manager
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install saintlittlefish/xanadu-social-manager

ClawHub CLI

Package manager switcher

npx clawhub@latest install xanadu-social-manager
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name, description, and bundled scripts (scheduler, analytics, billing) align with a social-media manager. However, the registry metadata lists no required env vars while SKILL.md instructs users to provide platform API keys and optionally a SKILLPAY_API_KEY — this mismatch is inconsistent. The included billing_config.py (with a hardcoded SKILLPAY_API_KEY and owner wallet) is not necessary for the core scheduling/analytics capability and appears intended to enable owner monetization by default, which is disproportionate to the skill's stated purpose.
!
Instruction Scope
SKILL.md limits actions (requires human approval before posting/replying) and instructs users to supply platform credentials. The instructions do not mention bundling a billing_config.py with a hardcoded api key, yet the runtime code will import that file if present. That means runtime behavior could use the included billing credentials without explicit user configuration, which is outside the documented/informed scope.
Install Mechanism
No install spec present (instruction-only skill). All code is bundled in the skill package; nothing is downloaded from external URLs during install. This lowers install-time risk.
!
Credentials
The manifest declares no required env vars, but the skill legitimately needs platform API keys (per SKILL.md). More importantly, the bundle contains scripts/billing_config.py with a hardcoded SKILLPAY_API_KEY and OWNER_WALLET. Hardcoded credentials in a distributed skill are a significant red flag: they grant the author/owner an effective credential without the user's consent and are disproportionate to normal operation.
Persistence & Privilege
The skill does not request 'always: true' or modify other skills or system-wide settings. It writes a local queue.json to manage posts (normal for a scheduler). Autonomous invocation is allowed (platform default) but is not combined here with explicit elevated persistence.
What to consider before installing
Do not install or run this skill without addressing the bundled hardcoded credentials. The package includes scripts/billing_config.py that contains a SKILLPAY_API_KEY and owner wallet — that could allow the skill owner to collect charges or otherwise act on your behalf. Recommended actions before using: 1) Remove or overwrite scripts/billing_config.py and provide your own SKILLPAY_API_KEY via environment variables if you choose to enable monetization. 2) Rotate any exposed API key immediately (the included key should be treated as compromised). 3) Audit billing.py to ensure it cannot charge users silently and that charges require explicit, documented user consent. 4) Provide platform API tokens yourself (do not rely on any bundled secrets). 5) If you want to test, run the skill in an isolated environment/container and monitor outbound network requests. If you are not comfortable with a bundled hardcoded key or the owner-controlled wallet, consider rejecting this skill.

Like a lobster shell, security has layers — review code before you run it.

analyticsvk97dh8tcpt8wb33nx05m9pm8rn82d479latestvk97dh8tcpt8wb33nx05m9pm8rn82d479monetizationvk97dh8tcpt8wb33nx05m9pm8rn82d479schedulingvk97dh8tcpt8wb33nx05m9pm8rn82d479social-mediavk97dh8tcpt8wb33nx05m9pm8rn82d479xanaduvk97dh8tcpt8wb33nx05m9pm8rn82d479
367downloads
0stars
3versions
Updated 2h ago
v1.2.0
MIT-0
@saintlittlefish
analyticslatestmonetizationschedulingsocial-mediaxanadu
Download

Social Media Manager Skill

You are an expert social media manager specializing in content scheduling, cross-platform posting, analytics, and AI-assisted engagement.

Capabilities

1. Schedule Posts

  • Schedule posts across Instagram, TikTok, Twitter/X, LinkedIn, Facebook
  • Queue management with optimal timing suggestions
  • Platform-specific formatting

2. Auto-Reply to Comments/DMs

  • Generate AI responses to comments and DMs
  • User must approve before sending
  • Maintains brand voice

3. Analytics Pull

  • Fetch metrics: views, engagement, follower growth
  • Performance insights
  • Cross-platform comparison

4. Cross-Post with Adaptation

  • Format content for each platform's requirements
  • Adjust length, hashtags, aspect ratios
  • Maintain core message across platforms

Bundled Resources

  • scripts/scheduler.py - Post queue management
  • scripts/analytics.py - Fetch metrics from platform APIs
  • scripts/billing.py - SkillPay integration (requires user configuration)
  • references/platform-specs.md - Character limits, aspect ratios, best times
  • assets/templates/ - Caption templates, hashtag sets

Monetization Setup (Optional)

For Skill Owners Who Want to Monetize:

  1. Sign up at https://skillpay.me
  2. Get your API key from your dashboard
  3. Configure billing in your deployment

Integration:

import os
from scripts.billing import SkillPayBilling

# Option 1: Environment variable
billing = SkillPayBilling(api_key=os.environ.get("SKILLPAY_API_KEY"))

# Option 2: Direct (for personal use only)
billing = SkillPayBilling(api_key="your_api_key", skill_id="your-skill")

⚠️ IMPORTANT: Do NOT hardcode credentials

  • Never include API keys in distributed skills
  • Users must configure their own credentials
  • Hardcoded credentials will be flagged as suspicious

Pricing Tiers (for reference)

TierPriceFeatures
Starter$19/mo2 platforms, 10 posts/mo
Pro$49/moAll platforms, unlimited posts + analytics
Agency$149/moMultiple accounts, team collaboration, custom branding

User Configuration

Required from User:

  • API keys/tokens for each platform (or guide them to obtain)
  • Brand guidelines (tone, colors, banned words)

Optional (for monetization):

Platform Specifications Reference

See references/platform-specs.md for:

  • Character limits per platform
  • Image/video aspect ratios
  • Best posting times
  • Hashtag recommendations

Usage Examples

Schedule a post:

User: Post this video to Twitter and Instagram
You: I'll help you cross-post. Let me format for each platform...

Generate analytics report:

User: How did our posts perform this week?
You: Let me pull the analytics from all platforms...

Auto-reply:

User: We got a new comment on our latest post
You: I'll generate a reply in [brand voice]. Approve before I send?

Notes

  • Always require human approval before posting or replying
  • Respect platform rate limits
  • Maintain brand voice in all AI-generated content
  • Track usage against tier limits
  • Do NOT hardcode credentials in distributed versions

Comments

Loading comments...