ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Publora Instagram

v2.0.1

Post or schedule content to Instagram using the Publora API. Use this skill when the user wants to publish images, reels, stories, or carousels to Instagram...

0· 839·2 current·2 all-time
bySergey Bulaev@sergebulaev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The SKILL.md describes publishing/scheduling Instagram posts via the Publora API and the provided example calls (create-post, get-upload-url, PUT to uploadUrl) match that stated purpose. It also references a separate 'publora' core skill for auth/docs — which is sensible but not included here and should be clarified.
Instruction Scope
Runtime instructions tell the agent to call Publora endpoints and to PUT media bytes to S3 upload URLs obtained from the API. This is expected for a posting/scheduling skill, but examples imply reading local image/video files (and using an API key in the x-publora-key header). The SKILL.md does not instruct the agent to read unrelated system files, but it does rely on external upload endpoints (Publora + S3).
Install Mechanism
Instruction-only skill with no install spec or code files. No files will be written to disk by an installer — lowest install risk.
!
Credentials
The documentation and examples require an API key header (x-publora-key: sk_YOUR_KEY), yet the registry metadata lists no required environment variables or primary credential. This is an inconsistency: the skill will need a secret (Publora API key) to function but does not declare it. That omission hinders safe permissioning and secret storage decisions.
Persistence & Privilege
The skill is not marked always:true and requests no config paths; autonomous invocation is allowed (platform default). There is no evidence the skill tries to modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to be what it says (a Publora-backed Instagram poster), but the SKILL.md clearly uses an API key (x-publora-key) while the skill metadata declares no required credential. Before installing: 1) Confirm where you'll store the Publora API key (ask the skill author to declare a required env var like PUBLORA_API_KEY or primaryEnv) and prefer a least-privilege key. 2) Verify the API base URL (https://api.publora.com) is the official endpoint you expect. 3) Understand that the skill will upload your local images/videos to S3 upload URLs returned by Publora — avoid sending sensitive media unless you trust the service. 4) Check whether the referenced 'publora' core skill is required (authentication/workspace webhook docs) and whether it's available/trusted. 5) If you need to allow autonomous invocation, be aware the agent could post on your behalf whenever invoked; consider restricting invocation or reviewing prompts that trigger it. If anything above is unclear, ask the skill author to update the metadata to declare the API key requirement and to document where tokens are stored/used.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dxp9f2hs9faw388gg1eqpm5838mbn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments