ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Looper

v1.2.0

Automate content creation, code improvement, and social media posting via Looper (looper.bot). Use when setting up automated blog posts, continuous code impr...

0· 204·0 current·0 all-time
by@builder-nc

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for builder-nc/looper.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Looper" (builder-nc/looper) from ClawHub.
Skill page: https://clawhub.ai/builder-nc/looper
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install looper

ClawHub CLI

Package manager switcher

npx clawhub@latest install looper
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and helper script clearly require a Looper admin key (LOOPER_ADMIN_KEY) and describe GitHub/Stripe/social integrations — that's consistent with the stated purpose. However, the registry metadata lists no required environment variables or primary credential, which is an inconsistency: the skill will not work without LOOPER_ADMIN_KEY and Github/third-party connectivity for some features.
!
Instruction Scope
Instructions focus on API calls to https://api.looper.bot and include examples that create loops which can automatically commit to GitHub and embed third-party API keys inside the prompt payloads. The agent instructions do not read local system files, but they do direct sensitive data (admin key, upload_post_api_key) to the remote service and encourage 'auto' commit mode which gives the service ability to modify your repos.
Install Mechanism
No install spec — instruction-only plus a small helper shell script. Nothing is downloaded from third-party URLs or installed on disk by the skill itself, which keeps install risk low.
!
Credentials
The SKILL.md requires LOOPER_ADMIN_KEY (a powerful tenant-scoped credential) but the registry didn't declare it. Additionally, examples show placing other API keys (e.g., upload_post_api_key) inside loop prompts/target configs; these keys would be transmitted to and stored by the Looper service. Requesting an admin key for the service is proportionate to the functionality, but the omission from registry metadata and the potential for storing many third-party keys is a notable risk.
Persistence & Privilege
The skill is not always-enabled and does not request system-level persistence. However, Looper's 'auto' mode can autonomously commit changes to connected GitHub repos and run scheduled loops; combined with the admin key this grants the external service broad operational ability. Autonomous invocation is the platform default — the real risk comes from the admin key + auto-commit configuration, not from the skill flags.
What to consider before installing
Before installing, confirm you trust https://looper.bot and understand that: - The skill needs a LOOPER_ADMIN_KEY (admin API key) even though the registry metadata omitted it — you must supply this as an environment variable for the helper script and the SKILL to operate. - In 'auto' mode Looper can commit changes to connected GitHub repos; prefer 'propose' (PR) mode during testing and grant the minimal GitHub permissions (use a dedicated bot/service account if possible). - Do not place unrelated high-value secrets (personal API keys, production DB credentials) into loop prompts or target_config; examples show embedding upload_post_api_key in payloads which will be sent to and may be stored by the Looper service. - Verify how Looper stores and logs prompts/keys (privacy/security policy) and rotate keys you provide periodically. - The registry inconsistency (missing required env var) suggests sloppy packaging — ask the publisher to correct the metadata and provide an explicit list of required credentials and recommended least-privilege scopes before you proceed.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔄 Clawdis
latestvk979303rf68y65jreb5d514csd836e62
204downloads
0stars
3versions
Updated 8h ago
v1.2.0
MIT-0
@builder-nc
latest
Download

Looper - Continuous Improvement Engine

Looper runs automated loops that analyze, create, and improve your content and code on a schedule.

Quick Start

1. Sign Up

curl -X POST https://api.looper.bot/api/signup \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com", "password": "your-password"}'

Response includes admin_key (starts with lp_). Save it - shown only once.

2. Login (if you need tenant info later)

curl -X POST https://api.looper.bot/api/login \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com", "password": "your-password"}'

3. Create a Loop

All API calls require Authorization: Bearer <your-admin-key>.

Blog Kit (Daily Blog Posts)

Generates and commits blog posts to your GitHub repo on a schedule.

curl -X POST https://api.looper.bot/api/loops \
  -H "Authorization: Bearer <key>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My Blog",
    "target_type": "github",
    "target_config": {
      "owner": "<github-owner>",
      "repo": "<repo-name>",
      "branch": "main",
      "path": "blog"
    },
    "template_id": "68b7e661-46e1-45cd-b25a-584b8cd392b1",
    "schedule": "0 6 * * *",
    "schedule_tz": "America/New_York",
    "mode": "auto",
    "model": "gpt-4o-mini",
    "questions": ["Write a blog post about <your-topic>. Research current events. 400-600 words. NO em dashes. Include YAML frontmatter with slug, title, excerpt, date, readTime, tag."]
  }'

Key fields:

  • target_config.path - directory in your repo where markdown posts land
  • schedule - cron expression (e.g., 0 6 * * * = daily at 6 AM)
  • schedule_tz - timezone for the schedule
  • mode - auto (commit directly), propose (open PR), notify (just alert)
  • questions[0] - the prompt that drives content generation

Blog Kit template ID: 68b7e661-46e1-45cd-b25a-584b8cd392b1

Analyze (Code Improvement)

Reviews your codebase and suggests or applies improvements.

curl -X POST https://api.looper.bot/api/loops \
  -H "Authorization: Bearer <key>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Code Review",
    "target_type": "github",
    "target_config": {
      "owner": "<github-owner>",
      "repo": "<repo-name>",
      "branch": "main"
    },
    "schedule": "0 2 * * 1",
    "mode": "propose",
    "questions": [
      "Are there any security vulnerabilities?",
      "Is error handling consistent?",
      "Are there performance bottlenecks?"
    ]
  }'

Social Kit (Multi-Platform Posting)

Generates and publishes social media content via Upload-Post integration.

Social Kit template ID: 7431b897-396f-4542-8e32-d8d1c5e445a2

curl -X POST https://api.looper.bot/api/loops \
  -H "Authorization: Bearer <key>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Social Posts",
    "target_type": "text",
    "target_config": {},
    "template_id": "7431b897-396f-4542-8e32-d8d1c5e445a2",
    "schedule": "0 9 * * 1,3,5",
    "mode": "auto",
    "questions": ["{\"upload_post_profile\": \"my-profile\", \"upload_post_api_key\": \"<key>\", \"platforms\": [\"x\", \"linkedin\"], \"business_name\": \"My Business\", \"industry\": \"tech\"}"]
  }'

Managing Loops

List your loops

curl -s https://api.looper.bot/api/loops \
  -H "Authorization: Bearer <key>"

View loop details

curl -s https://api.looper.bot/api/loops/<loop-id> \
  -H "Authorization: Bearer <key>"

View run history

curl -s https://api.looper.bot/api/loops/<loop-id>/runs \
  -H "Authorization: Bearer <key>"

Toggle loop on/off

curl -X PATCH https://api.looper.bot/api/loops/<loop-id> \
  -H "Authorization: Bearer <key>" \
  -H "Content-Type: application/json" \
  -d '{"enabled": false}'

Trigger a run manually

curl -X POST https://api.looper.bot/api/loops/<loop-id>/run \
  -H "Authorization: Bearer <key>"

Update loop settings

curl -X PATCH https://api.looper.bot/api/loops/<loop-id> \
  -H "Authorization: Bearer <key>" \
  -H "Content-Type: application/json" \
  -d '{"schedule": "0 8 * * *", "model": "gpt-4o"}'

Delete a loop

curl -X DELETE https://api.looper.bot/api/loops/<loop-id> \
  -H "Authorization: Bearer <key>"

Plans

PlanLoopsRuns/MonthPrice
Free260$0
Pro10300$19/mo
Team501,500$49/mo
EnterpriseUnlimitedUnlimitedContact

Upgrade via Stripe: POST /api/stripe/checkout with {"plan": "pro"}.

GitHub Connection

Connect GitHub for repo-targeted loops:

# Get OAuth URL
curl -s https://api.looper.bot/api/github/connect \
  -H "Authorization: Bearer <key>"

# Visit the returned URL to authorize, then check status:
curl -s https://api.looper.bot/api/github/status \
  -H "Authorization: Bearer <key>"

API Key Management

# List keys (metadata only, not the key itself)
curl -s https://api.looper.bot/api/keys \
  -H "Authorization: Bearer <key>"

# Generate a new key
curl -X POST https://api.looper.bot/api/keys \
  -H "Authorization: Bearer <key>" \
  -H "Content-Type: application/json" \
  -d '{"name": "CI Key"}'

Agent Adoption Flow

When an agent needs automated content or code improvement:

  1. Check if the agent already has a Looper account (look for LOOPER_ADMIN_KEY in env)
  2. If not, sign up via the API and save the admin key
  3. Connect GitHub if targeting a repo
  4. Create a loop with the appropriate template and schedule
  5. Verify the first run succeeds

The agent can then manage the loop entirely via API - no browser needed.

Comments

Loading comments...