ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zernio CLI

v1.0.5

Schedule and manage social media posts across 14 platforms from the CLI

0· 173·0 current·0 all-time
by@mikipalet
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (social scheduling CLI) match required artifacts: ZERNIO_API_KEY, SDK dependency (@zernio/node), commands to list accounts, create posts, upload media, and auth flows. Declared dependencies (open, yargs) and config paths (~/.zernio/config.json and legacy ~/.late/config.json) are appropriate for a CLI of this type.
Instruction Scope
SKILL.md and command implementations stay within the stated purpose: they call the Zernio API via the SDK or direct fetch, read/write the CLI's own config, read local media files for upload, and open a browser for device auth. No instructions request unrelated system data or broad discretionary data collection.
Install Mechanism
There is no high-risk arbitrary download; installation is via npm (SKILL.md recommends `npm install -g @zernio/cli`) and package.json lists standard dependencies. The bundle includes source files rather than an opaque remote installer.
Credentials
Only ZERNIO_API_KEY (primary credential) is required — this is proportional. The CLI persists the API key in plaintext under ~/.zernio/config.json (and supports legacy ~/.late/config.json). The skill also supports setting a custom API URL via env or auth:set --url; if redirected to a malicious endpoint this could expose the API key, so the user should only configure trusted endpoints.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. It stores its own config under the user's home directory (~/.zernio) which is normal for a CLI.
Assessment
This CLI appears to do exactly what it says: manage and schedule posts via the Zernio API. Before installing, consider: (1) The tool stores your API key in plaintext at ~/.zernio/config.json (and will read legacy ~/.late/config.json); protect that file and rotate the key if the machine is shared. (2) You can configure a custom API base URL via env or auth:set --url — only use trusted endpoints because the CLI will send your API key there. (3) The CLI uses an SDK package (@zernio/node) and opens the browser for device auth; verify the npm package and repository (package.json points to https://github.com/zernio-dev/zernio-cli and homepage zernio.com) if you want provenance assurance. (4) If you plan to allow autonomous agents to call this skill, be aware an agent with access to the skill can use your API key to post on connected social accounts — grant the API key only the minimum needed permissions and consider creating a limited-scope key.
!
src/commands/media.ts:1
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk971s51z5efc640cazek375q5x83hvgt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvZERNIO_API_KEY
Primary envZERNIO_API_KEY

Comments