ClawHub

SendIt OpenClaw

v0.1.0

Execute SendIt social publishing workflows in OpenClaw using the official @senditapp/openclaw plugin tools.

1· 95·0 current·0 all-time
by@shree-git
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the declared behaviors: SKILL.md directs the agent to use an @senditapp/openclaw plugin and lists SendIt tool calls. The single required config path (plugins.entries.sendit.enabled) aligns with enabling a plugin. There are no unrelated env vars, binaries, or config paths requested.
Instruction Scope
The SKILL.md workflows instruct only the use of prefixed SendIt plugin tools (connect accounts, publish/schedule, analytics, inbox, etc.). It does not direct reading unrelated system files, arbitrary env variables, or sending data to unexpected endpoints; OAuth flows are handled by asking the user to complete OAuth URLs as expected for account connection.
Install Mechanism
The SKILL.md includes an npm install entry for the scoped package '@senditapp/openclaw'. Installing an npm package is a plausible and expected mechanism for a plugin, but npm installs run third‑party code (moderate risk). The package is scoped (suggesting an org) and there are no raw URL downloads or archive extracts. Note: registry metadata earlier indicated 'no install spec', but the SKILL.md itself includes the npm install instruction.
Credentials
No environment secrets or API keys are required by the skill; account authentication is handled via OAuth flows (user completes URLs). The declared config path to enable the plugin is proportional to the purpose. No unrelated credentials are requested.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. The skill does not request system-wide config changes or access to other skills' credentials. No elevated persistence or unexplained privileges are requested.
Assessment
This skill is internally consistent: it installs a scoped npm plugin and uses only plugin-provided tools to manage social publishing and OAuth flows. Before installing, verify the npm package and publisher (search npmjs.com or the project's repo) to confirm it's the official SendIt package; scoped packages can still contain arbitrary code. Understand that installing the plugin gives it capability to act on connected social accounts (post, delete, read inbox, etc.), so only enable it when you trust the publisher and restrict account permissions as much as possible. If you need higher assurance, ask the publisher for a homepage/repo link and review the package source or audit the package before installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk976yr0fp5r1r42vggsndkxeph832bf1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Configplugins.entries.sendit.enabled

Comments