ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AutoPost GitHub Bounty

v1.0.0

Automatically generate and post optimized social media content promoting GitHub bounty campaigns using repo data and custom messages.

0· 76·0 current·0 all-time
by@vut08905

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for vut08905/autopost-github-bounty.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "AutoPost GitHub Bounty" (vut08905/autopost-github-bounty) from ClawHub.
Skill page: https://clawhub.ai/vut08905/autopost-github-bounty
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install autopost-github-bounty

ClawHub CLI

Package manager switcher

npx clawhub@latest install autopost-github-bounty
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to 'send posts' to Twitter/Facebook/etc., but autopost.js only fetches repository details from the GitHub API and logs a message; there is no implemented platform integration. SKILL.md asks for social API tokens, but the package metadata lists no required env vars — capabilities and declared requirements do not match.
!
Instruction Scope
SKILL.md tells the user to run with flags like --repo and --platform, but autopost.js reads raw process.argv positions (no flag parsing), so the example invocation is incorrect. The instructions say GitHub and social API tokens are required but do not explain how to provide them (.env usage is not mentioned), while the code uses dotenv and reads process.env.GITHUB_TOKEN. The runtime instructions are vague and inconsistent with the actual code behavior.
Install Mechanism
There is no custom install script; dependencies are standard npm packages (axios, dotenv) with package-lock referencing npm registry URLs. No external or unusual download URLs or archive extraction were present in the manifest.
!
Credentials
Registry metadata lists no required env vars, but autopost.js expects GITHUB_TOKEN (via process.env) and uses dotenv. SKILL.md additionally requests social platform tokens that the code does not use. Environment variable requirements are under-declared and misaligned with both the README and the code.
Persistence & Privilege
The skill does not request always:true, does not modify system or other skills, and does not declare persistent system-level privileges. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges.
What to consider before installing
This skill is inconsistent: it advertises automatic multi-platform posting but the code only reads a GitHub repo and prints a composed message. Before running or providing any credentials: (1) don't supply API tokens until you audit the code — the registry didn't declare required env vars but the script reads GITHUB_TOKEN via dotenv; (2) verify and fix the invocation (the script doesn't parse --repo/--platform flags as shown); (3) if you need actual posting, inspect or implement the platform-specific APIs yourself rather than trusting this package; (4) run npm install and execute only in a sandboxed environment or CI runner you control; (5) review package-lock for suspicious third-party packages and consider pinning or replacing dependencies. Because of these mismatches and missing documentation, treat the package as untrusted until you confirm its behavior and provenance.
autopost.js:11
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d3warsafxaqt89cfppfryrd84mxnn
76downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@vut08905
latest
Download

AutoPost GitHub Bounty Campaign

Mô tả

Kỹ năng này tự động tạo nội dung chia sẻ cho các chiến dịch Bounty trên GitHub. Giúp đăng bài hiệu quả để tăng lượt tham gia và hoàn thành yêu cầu của bounty.

Tính năng

  1. Lấy tiêu đề và mô tả từ repository GitHub.
  2. Tạo bài viết với nội dung tối ưu hóa kêu gọi hành động (CTA).
  3. Gửi bài qua mạng xã hội (Twitter, Facebook, etc.).

Cấu hình yêu cầu

  • API Token GitHub (để lấy thông tin repo).
  • API Token các nền tảng xã hội (Twitter, etc.).

Hướng dẫn cài đặt

  1. Clone repo:
git clone https://github.com/<user>/clawhub-skill-autopost.git
  1. Cài đặt dependencies:
npm install
  1. Chạy skill:
node autopost.js --repo <repo_url> --platform "twitter" --message "<custom_message>"

Comments

Loading comments...