Skillv1.2.1

ClawScan security

Publora Bluesky · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 20, 2026, 1:01 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, network calls, and credential needs are consistent with a Publora→Bluesky posting/scheduling integration and do not request unrelated access.
Guidance: This skill appears to do exactly what it says: use the Publora API to post or schedule Bluesky content. Before installing or invoking it: (1) Verify you trust Publora and the skill publisher (owner is unknown here). (2) Do not share your main Bluesky password — create and use an app password as instructed. (3) Provide the Publora API key and any app password as secrets (environment variables or secure prompts) rather than pasting them into public chat. (4) Note that image uploads require the agent/process to access local files (e.g., photo_compressed.jpg) — only allow that if you intend the agent to read those files. (5) Because the SKILL.md references a separate 'publora core skill' and does not declare credential env vars, expect some manual setup; confirm where and how the agent will store/obtain the x-publora-key before granting access.

Review Dimensions

Purpose & Capability: okName/description (post/schedule to Bluesky via Publora) matches the SKILL.md: examples show create-post, get-upload-url, and uploading media to Publora-provided URLs. No unrelated services, binaries, or credentials are requested.
Instruction Scope: noteInstructions are scoped to HTTP calls to https://api.publora.com and uploading media to returned upload URLs, which is appropriate for this use. The examples show reading a local file for image upload (open('photo_compressed.jpg')), which is expected for media posts but means an agent would need access to that file when asked to attach media. SKILL.md refers to a separate 'publora core skill' (not included here) and does not declare where the Publora API key should be stored, so the agent's runtime behavior for obtaining secrets is underspecified.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself. This is the lowest-risk install profile.
Credentials: noteThe skill requires a Publora API key (x-publora-key) and a Bluesky app password (app password, not main password) — both are proportional to posting/scheduling. However, the registry metadata lists no required env vars, so the SKILL.md and the platform manifest are inconsistent about how credentials are supplied; the skill will require the user/agent to provide secrets at runtime.
Persistence & Privilege: okNo always:true, no installs, and no requests to modify agent/system configuration. The skill can be invoked autonomously (default), which is normal and expected for skills — not in itself a red flag.