ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Publora Twitter

Post or schedule content to X (Twitter) using the Publora API. Use this skill when the user wants to tweet, schedule a tweet, or post a thread to X/Twitter v...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 566 · 1 current installs · 1 all-time installs
bySergey Bulaev@sergebulaev
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md shows coherent, purpose-aligned behavior (calling publora endpoints to create posts, schedule, upload media). However, it requires an 'x-publora-key' API key in examples while the registry metadata declares no required environment variables or primary credential. The skill also references a separate 'publora' core skill for auth — the relationship/dependency is not expressed in the metadata, which is an incoherence.
Instruction Scope
The runtime instructions stay on-topic: examples show HTTP calls to publora endpoints, threading/scheduling/media rules, and no instructions to read local files, shell history, or unrelated system state. The main scope issue is that the instructions assume the agent has access to a Publora API key but do not show how that key should be supplied or protected.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no installer or downloaded code to evaluate — low installation risk. The scanner had nothing to analyze.
!
Credentials
SKILL.md uses an API key header ('x-publora-key: sk_YOUR_KEY') but the skill metadata lists no required env vars or primary credential. That omission is a proportionality/information problem: the skill clearly needs a secret to operate, but the registry does not declare where that secret should come from or what environment variable name should be used, making it unclear how secrets will be handled and increasing the risk of ad-hoc secret provisioning or accidental exposure.
Persistence & Privilege
The skill does not request always:true and is user-invocable only; it does not claim to modify other skills or system-wide settings. No elevated persistence or privilege is requested in the metadata.
What to consider before installing
This skill appears to do what it says (post/schedule threads via the Publora API), but the package metadata fails to declare the required Publora API key. Before installing or using it, ask the publisher to clarify how the API key is supplied (which env var or secret store), confirm the existence and provenance of the referenced 'publora' core skill, and verify the skill's source/homepage (none is provided). Only provide an API key you control and rotate it if you suspect misuse. If you need stronger assurance, prefer a skill that explicitly declares its required credential (primaryEnv) and links to a verifiable source or homepage.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.0.1
Download zip
latestvk976b6ne8gtdeh0g2ksz9vryzd839frt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Publora — X / Twitter

X/Twitter platform skill for the Publora API. For auth, core scheduling, media upload, and workspace/webhook docs, see the publora core skill.

Base URL: https://api.publora.com/api/v1
Header: x-publora-key: sk_YOUR_KEY
Platform ID format: twitter-{userId}

⚠️ Twitter/X requires Pro or Premium plan — excluded from the Starter plan.

Platform Limits (API)

⚠️ API limits differ from native app. Design against these.

PropertyAPI LimitNotes
Text280 characters25,000 with Premium account
ImagesUp to 4 × 5 MBAll formats auto-converted to PNG (max 1000px width)
Video2 min (120s) / 512 MB⚠️ Native allows 2:20 — API is stricter
Video formatMP4, MOV
Threading✅ Auto-split with (1/N) or manual ---See Threading section
Text only✅ Yes

Common errors:

  • This user is not allowed to post a video longer than 2 minutes — trim video to under 120s

Character Counting

X has specific rules Publora handles automatically:

  • Standard characters count as 1
  • Emojis count as 2 characters
  • URLs are counted by their literal length — Publora does NOT apply Twitter's 23-character URL shortening rule

Post a Tweet

await fetch('https://api.publora.com/api/v1/create-post', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json', 'x-publora-key': 'sk_YOUR_KEY' },
  body: JSON.stringify({
    content: 'Just shipped a new feature! 🚀 #buildinpublic',
    platforms: ['twitter-123456789']
  })
});

Threading

Auto-split (content > 280 chars)

Publora automatically splits at paragraph/sentence/word breaks and adds (1/N) markers (e.g., (1/3), (2/3)). 10 characters reserved per tweet for the marker.

Manual split with ---

Use --- on its own line to define exact split points:

body: JSON.stringify({
  content: '1/ Everything I learned building in public this year.\n\n---\n\n2/ First lesson: ship early. Don\'t wait for perfect.\n\n---\n\n3/ Second lesson: your audience is your best product team.',
  platforms: ['twitter-123456789']
})

Explicit markers [n/m]

Use [1/3], [2/3] etc. — Publora detects these and splits at those points exactly (preserves as written).

Media in threads

  • Up to 4 images or 1 video attached to the first tweet only
  • Subsequent tweets in thread are text-only
  • Images and video cannot be mixed in the same tweet

Schedule a Tweet

body: JSON.stringify({
  content: 'Scheduled announcement: our product launches tomorrow! 🎉',
  platforms: ['twitter-123456789'],
  scheduledTime: '2026-03-20T14:00:00.000Z'
})

Platform Quirks

  • Pro/Premium required — Twitter/X is excluded from the Starter plan
  • All images → PNG: Publora auto-converts all image formats (JPEG, WebP, GIF, etc.) to PNG and resizes to max 1000px width before uploading
  • API video limit is 2 min — not 2:20 like native app; videos over 120s will fail
  • Emojis count as 2 chars — factor this into character counting
  • URLs use literal length — Publora does NOT apply Twitter's 23-char shortening; a 40-char URL counts as 40
  • Premium accounts get 25,000 character limit — Publora uses extended limit automatically
  • GIF posts count as a video, not an image — different size/count rules apply
  • Media only on first tweet when threading

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…