ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Publora Mastodon

v1.2.0

Post or schedule content to Mastodon using the Publora API. Use this skill when the user wants to publish or schedule Mastodon posts via Publora.

0· 421·1 current·1 all-time
bySergey Bulaev@sergebulaev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions: the SKILL.md shows how to create/schedule posts and upload media to the Publora API (mastodon.social). However the doc repeatedly shows use of an x-publora-key and refers to a separate 'publora' core skill for auth/scheduling, yet this skill's metadata declares no required env vars, no primary credential, and no dependency on a core skill — an inconsistency.
!
Instruction Scope
The instructions include direct examples that open local files (open('photo.jpg')) and upload them to an uploadUrl returned by the API. That implies the agent will need filesystem access to read arbitrary user-specified media and will transmit that file to externally-provided upload URLs. The SKILL.md also uses a hardcoded header pattern ('x-publora-key: sk_YOUR_KEY') but gives no guidance in the metadata about where that key comes from.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lower disk/write risk. Nothing is downloaded or installed by the skill itself.
!
Credentials
The runtime examples require an API key (x-publora-key) but the skill declares no required environment variables or primary credential. Either the skill expects the separate 'publora' core skill to supply auth (not declared), or it fails to declare a needed secret. Missing declaration of a required secret is a meaningful incoherence.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. It does not declare modifications to other skills or global agent settings.
What to consider before installing
Before installing, ask the publisher to clarify how auth is provided: the SKILL.md uses x-publora-key but the skill metadata lists no required credential. Confirm whether you must supply a Publora API key (and how the agent will store/use it) or whether this skill expects a separate 'publora' core skill to provide auth. Be aware that media upload examples read local files (photo.jpg) and upload them to an external uploadUrl — only provide media you trust to be uploaded, and verify you trust api.publora.com and the resulting storage endpoints. If you do not want the agent to access local files or to hold your Publora API key, do not enable this skill until those behaviors are clearly documented.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d35yjy4pb95gaatcwenk9q582wfvt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments