ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Social Post

v1.5.0

Post and reply to X/Twitter and Farcaster with text and images. Features multi-account support, dynamic Twitter tier detection (Basic/Premium), auto-variation to avoid duplicate content detection, draft preview, character validation, threads, replies, and image uploads. Consumption-based pricing for X API, pay-per-cast for Farcaster.

0· 978·0 current·0 all-time
by@teeclaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose is social posting to X (Twitter) and Farcaster, which matches the code. However the declared requirements (requires.env only lists X_* keys) omit the Farcaster private keys and custody data that the code actually needs. The code also expects a separate farcaster-agent repo and Node tooling (npm/node) which are not declared. Several scripts hardcode absolute paths under /home/phan_harry/.openclaw (env file, repo, cache), meaning the skill will try to access another user's files rather than the current user's HOME — this is inconsistent and unexpected for a general-purpose social-post skill.
!
Instruction Scope
SKILL.md instructs storing credentials under ~/.openclaw and using dry-run for testing, but the code: (1) sources /home/phan_harry/.openclaw/.env (absolute path) rather than respecting $HOME/tilde; (2) reads/writes a tier cache at /home/phan_harry/.openclaw/workspace/... and expects a farcaster-agent repo at /home/phan_harry/.openclaw/workspace/skills/farcaster-agent/repo; (3) uses GPG decryption and may read $HOME/.openclaw/.env.secrets.gpg; (4) uploads images to external hosts (catbox.moe, uguu.se) and shortens links via tinyurl — these are expected but should be explicit. Critically, tier detection's Python code attempts an authenticated POST to the API (/2/tweets) with a 281-char test payload to infer limits; that operation may create a real tweet (the code does not reliably perform a safe dry-run), contradicting the SKILL.md's promise that detection is a safe check.
!
Install Mechanism
No install spec is provided yet the code invokes Node/npm (npm run cast, inline node -e) and expects external Node modules and a farcaster-agent repo. Required binaries declared are bash, curl, jq, python3, shuf — but node/npm and gpg are used and not declared. Having no install step but depending on undeclared tooling and another skill's repo is an incoherent and risky design choice.
!
Credentials
The manifest requires only X_CONSUMER_KEY etc., but the code needs many additional secrets (FARCASTER custody/private keys, signer keys, FARCASTER_CUSTODY_ADDRESS, possibly OPENCLAW_GPG_PASSPHRASE). The SKILL.md and README instruct storing Farcaster credentials in ~/.openclaw/farcaster-credentials.json or in .env, but these are not listed in requires.env. The skill also supports multi-account prefixes (OXDASX_*) but that mapping is not fully documented in the manifest. Requesting and reading private keys and GPG secrets is necessary for Farcaster posting, but the omission from declared requirements and the hardcoded paths makes the requested secrets disproportionate and under-documented.
!
Persistence & Privilege
The skill writes a tier cache file (twitter-account-tiers.json) under /home/phan_harry/.openclaw/workspace/memory and may create/read other files in that hardcoded directory. While 'always' is false, the hardcoded file paths reference another user's home and another skill's repo; this gives the skill persistent read/write access to host-specific locations beyond its own isolated workspace. It does not appear to modify other skills' configurations directly, but it depends on and uses other-skill directories (farcaster-agent) which is a privilege/safety concern.
What to consider before installing
Do not run this skill with live credentials until these issues are resolved. Specific recommendations: - Ask the author to remove hardcoded /home/phan_harry paths and use $HOME or relative paths so the skill accesses the current user's files only. - Require and document all needed credentials explicitly (Farcaster custody and signer keys, FARCASTER_CUSTODY_ADDRESS, and any OPENCLAW_GPG_PASSPHRASE), or avoid reading unrelated host files. - Declare all runtime binaries (node, npm, gpg) and Node package dependencies (e.g., @farcaster/hub-nodejs) or provide an install spec that installs them from known sources. - Fix tier-detection so it does not attempt real POSTs as a detection method (use safe API endpoints or explicit capability calls that don't create posts), and make dry-run behavior reliable. - Confirm presence or provide the missing TWITTER_POST_SCRIPT and farcaster-agent repo (or remove reliance on external skill repos). - If you must test, run the skill in an isolated environment (throwaway account/container) and inspect network calls (outbound endpoints) and file accesses first. If you don't control or verify these fixes, treat the skill as risky because it may read host-specific secrets and could perform unintended posts or external network operations.

Like a lobster shell, security has layers — review code before you run it.

latestvk97702nz1n54cqd7e16ygja3g580zmv4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsbash, curl, jq, python3, shuf
EnvX_CONSUMER_KEY, X_CONSUMER_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET

Comments