Blogburst
WarnAudited by ClawScan on May 10, 2026.
Overview
BlogBurst clearly discloses its purpose, but it can automate public posting, replies, likes, follows, and ongoing auto-pilot activity without enough documented approval boundaries.
Review this skill carefully before installing. It is not obviously malicious, but it is designed to act as an autonomous social media operator. Do not connect real Twitter, Bluesky, Telegram, or Discord accounts unless you are comfortable with BlogBurst posting, replying, liking, following, and processing your content through its external API. Use strict limits, review drafts, and verify how to disable auto-pilot.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could trigger public posting or engagement workflows that affect the user's brand, reputation, or social accounts.
The skill exposes a broad conversational endpoint that can configure high-impact social-media behavior, including enabling auto-pilot, without documenting required human confirmation or draft review.
**Agent Chat (does everything via conversation):** `POST /assistant/agent-chat-v2` ... "Turn on auto-pilot, 3 posts per day"
Only use the full API with explicit user approval for each public action, and require draft review before posting, replying, liking, following, or enabling automation.
Once enabled, the service may continue posting or managing engagement without the user reviewing every action.
The artifact documents an ongoing auto-pilot mode that can continue posting after configuration, but it does not clearly document review gates, stopping conditions, or rollback controls.
**Auto-Pilot:** ... `POST /assistant/auto-pilot` — configure: `{"enabled": true, "posts_per_day": 3, "platforms": ["twitter", "bluesky"]}`Confirm there is an easy way to disable auto-pilot, set strict limits, review scheduled content, and monitor daily activity before connecting real social accounts.
The service may be able to act through connected social accounts, including posting and engagement actions.
The skill requires a BlogBurst API key and social-account connections for full functionality. This is expected for the stated purpose, but it delegates meaningful account authority to the service.
Connect Twitter or Bluesky (1-click) — Telegram works without OAuth ... All authenticated requests use: `X-API-Key: $BLOGBURST_API_KEY`
Review the OAuth scopes and connected-account permissions, use the least-privileged plan/account possible, and revoke access if you stop using the service.
Private launch plans, unpublished drafts, or sensitive brand information could be shared with BlogBurst if entered into the workflow.
The skill sends user-provided marketing content, product topics, domains, and brand information to the external BlogBurst API. This is purpose-aligned, but it is still an external data flow.
`POST /repurpose` ... `{"content": "Your blog post or article text here", "platforms": ["twitter", "bluesky"]}`Avoid sending confidential drafts or sensitive business information unless you trust BlogBurst's data handling and retention policies.