ClawHub

Mallary Openclaw Skill

v1.0.2

Mallary is a multi-platform social media publishing tool for X, Facebook, Instagram, LinkedIn, YouTube, TikTok, Pinterest, Reddit, Threads, and Snapchat. Use...

0· 46·0 current·0 all-time
bySam T@sammydigits
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentialsPosts externally
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and included docs all describe a social-media publishing CLI. The only required environment variable is MALLARY_API_KEY, which directly matches the stated purpose of authenticating to the Mallary API. No unrelated binaries, config paths, or credentials are requested.
Instruction Scope
SKILL.md instructs the agent to set MALLARY_API_KEY and run Mallary CLI commands (upload, posts create, analytics, etc.). It recommends uploading local media files and using the CLI’s JSON mode. Those actions are expected for a publishing CLI and do not instruct reading unrelated files or exfiltrating data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill (no install spec). It suggests installing the official-looking npm package @mallary/cli and links to npm and GitHub. That is a standard, proportional install path; no opaque downloads or custom installers are included in the skill bundle.
Credentials
Only MALLARY_API_KEY is declared as required. That single secret is appropriate and expected for authenticating to the Mallary API. No other tokens, keys, or unrelated environment variables are requested.
Persistence & Privilege
The skill is not forced-always (always: false) and does not request to modify other skills or system-wide settings. It does suggest adding the API key to a shell profile as optional user guidance (which would persist the key), but that is user-driven and not code-run by the skill itself.
Assessment
This skill appears coherent with its stated purpose, but take normal precautions before installing a third-party CLI: 1) Treat MALLARY_API_KEY as a secret — prefer a scoped or least-privilege API key if the Mallary dashboard supports it and avoid storing it in shared or checked-in dotfiles. 2) Verify the npm package and GitHub repo match (check publisher, recent commits, and npm package tarball contents) before running npm install -g or npx. 3) If you plan to let an autonomous agent use this skill, be aware the agent can perform publishing actions with your API key — restrict or monitor that key and review audit logs on Mallary. 4) For CI or automation, prefer ephemeral or restricted API keys and avoid putting long-lived secrets into global shell profiles on multi-user systems. If you want extra assurance, inspect the published npm package source (or the repo's dist files) before running it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97286wxvv19fd507zty35j29h84t9d8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌎 Clawdis
EnvMALLARY_API_KEY

Comments