Blogburst
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: blogburst Version: 3.2.3 The BlogBurst skill is a standard API integration for a social media automation service (blogburst.ai). It provides instructions for an AI agent to generate content, manage social media accounts, and perform brand audits via documented endpoints at api.blogburst.ai. The skill uses a user-provided environment variable (BLOGBURST_API_KEY) for authentication and does not exhibit any signs of data exfiltration, malicious execution, or deceptive prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could trigger public posting or engagement workflows that affect the user's brand, reputation, or social accounts.
The skill exposes a broad conversational endpoint that can configure high-impact social-media behavior, including enabling auto-pilot, without documenting required human confirmation or draft review.
**Agent Chat (does everything via conversation):** `POST /assistant/agent-chat-v2` ... "Turn on auto-pilot, 3 posts per day"
Only use the full API with explicit user approval for each public action, and require draft review before posting, replying, liking, following, or enabling automation.
Once enabled, the service may continue posting or managing engagement without the user reviewing every action.
The artifact documents an ongoing auto-pilot mode that can continue posting after configuration, but it does not clearly document review gates, stopping conditions, or rollback controls.
**Auto-Pilot:** ... `POST /assistant/auto-pilot` — configure: `{"enabled": true, "posts_per_day": 3, "platforms": ["twitter", "bluesky"]}`Confirm there is an easy way to disable auto-pilot, set strict limits, review scheduled content, and monitor daily activity before connecting real social accounts.
The service may be able to act through connected social accounts, including posting and engagement actions.
The skill requires a BlogBurst API key and social-account connections for full functionality. This is expected for the stated purpose, but it delegates meaningful account authority to the service.
Connect Twitter or Bluesky (1-click) — Telegram works without OAuth ... All authenticated requests use: `X-API-Key: $BLOGBURST_API_KEY`
Review the OAuth scopes and connected-account permissions, use the least-privileged plan/account possible, and revoke access if you stop using the service.
Private launch plans, unpublished drafts, or sensitive brand information could be shared with BlogBurst if entered into the workflow.
The skill sends user-provided marketing content, product topics, domains, and brand information to the external BlogBurst API. This is purpose-aligned, but it is still an external data flow.
`POST /repurpose` ... `{"content": "Your blog post or article text here", "platforms": ["twitter", "bluesky"]}`Avoid sending confidential drafts or sensitive business information unless you trust BlogBurst's data handling and retention policies.