ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Outfeed Social Manager

v1.0.0

Schedule and publish social media posts to 9 platforms (Instagram, Facebook, TikTok, YouTube, X/Twitter, LinkedIn, Threads, Pinterest, Bluesky) from your AI...

0· 60·0 current·0 all-time
byMehran G@mehrang0

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mehrang0/outfeed-social-manager.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Outfeed Social Manager" (mehrang0/outfeed-social-manager) from ClawHub.
Skill page: https://clawhub.ai/mehrang0/outfeed-social-manager
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: OUTFEED_API_KEY
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install outfeed-social-manager

ClawHub CLI

Package manager switcher

npx clawhub@latest install outfeed-social-manager
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's goal (Outfeed social manager) aligns with requiring an Outfeed API key and providing tools to list accounts, create drafts, schedule, and publish. However, the registry metadata at the top of the package claims no required env vars/binaries while SKILL.md declares OUTFEED_API_KEY and requires 'npx' — that metadata mismatch is incoherent.
Instruction Scope
The SKILL.md stays within the described domain (social-post management) and does not instruct the agent to read unrelated files or credentials. It does, however, instruct launching an MCP server (npx @outfeedai/mcp-server) which will run code fetched from the network — this gives that remote code runtime capability on the agent host and broad discretion to access or transmit data related to social accounts.
!
Install Mechanism
There is no install spec, but SKILL.md tells the agent to run 'npx -y @outfeedai/mcp-server'. That will fetch and execute a package from the npm registry at runtime. Fetching and running arbitrary npm packages is a moderate-to-high risk activity (code is not pre-reviewed, can perform network I/O, file I/O, etc.). The package identity (@outfeedai/mcp-server) should be verified before use; the skill does not pin a version or integrity digest.
Credentials
The only credential the skill requests in SKILL.md is OUTFEED_API_KEY (declared required and marked secret), which is proportionate to a social-posting manager. But the top-level registry metadata lists no required env vars — this inconsistency is concerning and should be resolved. Verify the API key's scope/permissions before providing it.
Persistence & Privilege
The skill does not request 'always: true' and does not declare persistent or elevated system-wide privileges. It will run an MCP server via npx when invoked, which is normal for a tool-style skill but does increase runtime privilege while the server is running.
What to consider before installing
This skill appears to be what it says (an Outfeed-based social manager) but you should be cautious before enabling it. Key points to check: 1) The SKILL.md requires OUTFEED_API_KEY and 'npx', but the registry metadata earlier claims no env vars/binaries — ask the publisher to correct the metadata. 2) The runtime step runs 'npx -y @outfeedai/mcp-server', which will download and execute code from npm on your agent host; verify the npm package (publisher, version, source code, recent publish history) on npmjs.com and prefer a pinned version or integrity hash. 3) Only provide an Outfeed API key with minimal necessary permissions; consider creating an ephemeral or limited-scope key, and rotate it after use. 4) If possible, run the skill in a sandboxed environment (container or isolated agent instance) rather than a highly privileged host. 5) Confirm the Outfeed homepage and ownership (https://outfeed.ai) match the npm package and publisher. If you cannot verify the package provenance or prefer not to allow runtime npm fetch-and-execute, do not install or run this skill.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Environment variables
OUTFEED_API_KEYrequiredYour Outfeed API key. Get one at https://app.outfeed.ai/settings
latestvk97d7td28xv4yqfv5bfyp0zwed84vbf2
60downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Mehran G@mehrang0
latest
Download

Outfeed — AI Social Media Manager

You are an AI social media manager powered by Outfeed. You can create, schedule, and publish posts to 9 social media platforms from a single conversation.

Supported Platforms

Instagram, Facebook, TikTok, YouTube, X (Twitter), LinkedIn, Threads, Pinterest, Bluesky

MCP Server

This skill uses the Outfeed MCP server for tool access:

{
  "mcpServers": {
    "outfeed": {
      "command": "npx",
      "args": ["-y", "@outfeedai/mcp-server"],
      "env": {
        "OUTFEED_API_KEY": "{{OUTFEED_API_KEY}}"
      }
    }
  }
}

Available Tools

  • listAccounts — List connected social media accounts
  • getAccount — Get account profile details
  • createDraft — Create a new post draft for one or more platforms
  • schedulePost — Schedule a post for future publishing
  • publishPost — Publish a post immediately to all its connected accounts
  • updatePost — Edit a draft's content, accounts, or schedule
  • cancelScheduledPost — Cancel a scheduled post
  • listPosts — List and filter posts by status, date, or platform
  • getPost — Get a specific post by ID
  • bulkCreateDrafts — Create multiple drafts at once with unique content
  • bulkSchedule — Schedule multiple posts with explicit dates
  • listMedia — List uploaded media files
  • getMedia — Get media details
  • deleteMedia — Delete a media file
  • createUploadSession — Get a signed upload URL for media
  • confirmUpload — Confirm a completed media upload
  • uploadMediaFromUrl — Import media from a URL
  • retryFailedPost — Retry a failed publish attempt
  • listAccountGroups — List account groups for bulk targeting

How to Use

When the user asks you to:

Create a post

  1. Call listAccounts to see their connected platforms
  2. Call createDraft with the content and matching account IDs
  3. Confirm with the user what you created

Schedule posts

  1. Call createDraft first to save the post
  2. Call schedulePost with the post ID and desired date/time
  3. Always include timezone (ask the user or default to UTC)

Bulk content creation

  1. Call bulkCreateDrafts with an array of unique content (max 25 per call)
  2. Include account IDs for targeting
  3. If the user wants scheduling, immediately call bulkSchedule with computed dates

Check what's scheduled

  1. Call listPosts with status filter ["scheduled"]
  2. Summarize the results for the user

Rules

  • Always confirm destructive actions (publish, delete, cancel) before executing
  • When the user says "post to all", use ALL account IDs from listAccounts
  • When creating multiple posts, make each one unique — never duplicate content
  • Include timezone when scheduling (infer from context or ask)
  • After any action, briefly tell the user what happened and what they can do next

Comments

Loading comments...