Social Autopilot

v1.4.0

Autonomously manage and post varied, platform-optimized social media content across X, Instagram, YouTube, and Meta using smart scheduling and data-driven th...

⭐ 0· 200·0 current·0 all-time

by@humsafarprabhu-cmyk

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for humsafarprabhu-cmyk/social-autopilot.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Social Autopilot" (humsafarprabhu-cmyk/social-autopilot) from ClawHub.
Skill page: https://clawhub.ai/humsafarprabhu-cmyk/social-autopilot
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install social-autopilot

ClawHub CLI

Package manager switcher

npx clawhub@latest install social-autopilot

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The skill claims to be an instruction-only autoposter in the registry metadata, but the package actually includes 16+ Python scripts that implement posting, video generation, R2 upload, and OAuth handling. Registry metadata lists no required environment variables while SKILL.md and the code require many platform credentials (X/Twitter, Instagram Graph API, Meta page, YouTube OAuth client_secrets, Cloudflare R2). This mismatch between declared metadata and actual requirements is an incoherence and could mislead users installing the skill.

ℹ

Instruction Scope

SKILL.md instructs the agent to operate autonomously (generate posts, upload videos, schedule posts) and to modify local files for branding (search/replace {BRAND_NAME}/{BRAND_URL}). The included scripts read and write local CSVs, generate media, upload to R2, call platform APIs, and mark CSV rows as posted. That behavior is consistent with the stated purpose, but the explicit requirement that users edit scripts and the presence of load_dotenv means the skill will read local .env files — exercise caution because that can expose other local secrets if .env is shared.

ℹ

Install Mechanism

There is no install specification (no declared package installation flow) even though the repository contains substantial Python code that depends on many packages (tweepy, moviepy, google clients, boto3, etc.). This is not inherently malicious, but it is inconsistent: the skill will require installing the listed Python packages and possibly fonts and template assets before use. The lack of an explicit install routine increases the chance an installer will miss prerequisites.

Credentials

The set of credentials the SKILL.md lists (X API keys/tokens, Instagram Graph tokens and app secret, Meta Page token/ID, YouTube OAuth client_secrets, Cloudflare R2 keys) are sensitive and grant posting/upload capability. Those credentials are proportionate to an autoposter's functionality, but the registry metadata incorrectly shows no required env vars and thus understates the required secrets. Additionally, the code uses dotenv to load .env files, which can pull in unrelated secrets if present — verify what you're exposing and prefer dedicated, minimal-scope tokens/accounts.

ℹ

Persistence & Privilege

The skill is not force-included (always:false) and uses the platform-default ability to be invoked autonomously. That autonomy plus the ability to post across multiple platforms increases blast radius if credentials are compromised. There is no evidence the skill tries to modify other skills or system-wide settings; its file writes appear limited to content CSV updates, logs, and temporary media files.

What to consider before installing

This skill appears to implement what it claims (autonomous posting, video generation, R2 hosting), but there are important things to check before installing or providing credentials: 1) Metadata mismatch: The registry metadata omits required environment variables while SKILL.md and the code require many sensitive tokens. Treat the SKILL.md and the code as the source of truth. 2) Run in a sandbox: Test the skill in an isolated environment (VM or container) and a Python virtualenv so you can safely install dependencies and inspect behavior without exposing your main accounts. 3) Use dedicated, limited-scope accounts/tokens: Create test or throwaway social accounts and R2 bucket and generate tokens with the minimum permissions needed (posting/upload only if possible). Avoid giving long-lived or primary-business account tokens until you trust the code. 4) Inspect and test dry-run first: Use the skill's dry-run option and review generated outputs (videos, captions) before letting it post. Verify mark_as_posted updates only the intended CSV and that no unexpected network calls occur. 5) Review OAuth and secrets handling: YouTube uses an OAuth client_secrets.json and browser flow — confirm where that file is stored and that it isn't uploaded anywhere. The code loads .env (load_dotenv) — ensure your .env doesn't contain unrelated secrets. 6) Check logging and cleanup: Logs may record filenames and public URLs; avoid printing full tokens. Be prepared to rotate any tokens used for testing. 7) Verify provenance: The README and clawhub.json reference a GitHub repo (abhinawtech/social-autopilot). If possible, pull the code directly from a verifiable upstream repository (review commit history, issues) rather than trusting an anonymous package snapshot. If you want, I can help by listing exact files and lines to inspect for network endpoints or by generating a checklist of minimum token scopes for each platform.

Like a lobster shell, security has layers — review code before you run it.

latestvk978sdw5kerx2k83r931s9kwk5836zvj

200downloads

0stars

5versions

Updated 22h ago

v1.4.0

MIT-0

Social Autopilot — Full Auto Social Media Engine

You are a social media automation agent. You manage the user's social media presence across X (Twitter), Instagram, YouTube, and Meta (Facebook/Threads) — completely autonomously.

What You Do

Content Generation — Generate platform-optimized posts from a content database (CSV). Rotate through content formats: insights, hot takes, myth busters, questions, quizzes, struggle posts.
X Threads — Generate data-driven threads (4-6 tweets) from dataset analysis. Each thread backed by real data with proof examples. Auto-rotate through 7 themes daily.
Video Reels — Generate short-form video (9:16, 1080x1920) for Instagram Reels and YouTube Shorts using HTML-to-video rendering. Multiple color themes, dynamic content per video.
Smart Scheduling — Post at configurable time slots via GitHub Actions cron or manual trigger.
Hashtag Strategy — 1-2 relevant hashtags per X post, rotated by topic. Full hashtag sets for Instagram.
Answer in Comments — Post answers/reveals as comments (not in main post) to drive engagement.
Platform-Specific Formatting — Respect character limits (X: 280), aspect ratios (IG: 9:16), and best practices per platform.

Required Environment Variables

All credentials are read from environment variables. No keys are hardcoded.

X (Twitter)

X_API_KEY=<your X/Twitter API key>
X_API_SECRET=<your X/Twitter API secret>
X_ACCESS_TOKEN=<your X/Twitter access token>
X_ACCESS_TOKEN_SECRET=<your X/Twitter access token secret>

Instagram

INSTAGRAM_USER_ID=<your Instagram user ID>
INSTAGRAM_ACCESS_TOKEN=<your Instagram Graph API access token>
INSTAGRAM_APP_SECRET=<your Instagram app secret for webhook verification>

Meta (Facebook/Threads)

META_PAGE_ACCESS_TOKEN=<your Meta page access token>
META_PAGE_ID=<your Meta page ID>

YouTube

YouTube posting uses OAuth2 credentials stored in a client_secrets.json file. Authentication is handled via browser OAuth flow on first run.

Cloudflare R2 (for Instagram reel hosting)

Instagram requires a public URL for reel uploads. R2 is used as the video host.

R2_ENDPOINT=<your Cloudflare R2 endpoint>
R2_ACCESS_KEY=<your R2 access key>
R2_SECRET_KEY=<your R2 secret key>
R2_BUCKET=<your R2 bucket name>
R2_PUBLIC_URL=<your R2 public URL>

Optional (auto-detected)

CI=true                 # Set automatically by GitHub Actions
GITHUB_ACTIONS=true     # Set automatically by GitHub Actions

Required Files

data/questions.csv — Your content database (CSV with columns: question, option1, option2, option3, option4, correctIndex, explanation, subject, year)

Required Python Packages

tweepy
requests
moviepy
numpy
Pillow
html2image
boto3
google-api-python-client
google-auth-oauthlib

Scripts Included

Script	Purpose
`formatter.py`	Content generation — post pools, hashtags, platform formatting
`x_poster.py`	X/Twitter posting + thread posting via tweepy
`x_thread_generator.py`	Data-driven thread generation from CSV analysis
`instagram_main.py`	Instagram reel posting orchestrator
`ig_reel_poster.py`	Instagram Graph API reel upload + answer comments
`ig_config.py`	Instagram captions, hashtags, output paths
`youtube_main.py`	YouTube Shorts posting orchestrator
`yt_shorts_poster.py`	YouTube Data API upload
`yt_config.py`	YouTube titles, descriptions, tags
`meta_poster.py`	Meta/Facebook/Threads posting
`html_video_generator.py`	HTML→PNG→MP4 video generation (8 color themes)
`video_generator.py`	PIL-based fallback video generator
`image_generator.py`	Static image generation for posts
`csv_manager.py`	Content database reader + tracking
`r2_uploader.py`	Cloudflare R2 video upload (for Instagram reel hosting)
`yt_auth.py`	YouTube OAuth2 authentication handler

Commands

"Post now" — Immediately post to all configured platforms
"Post to X" — Post single tweet + thread
"Post reel" — Generate and post Instagram reel
"Generate video" — Create a reel/short without posting
"Show schedule" — Display current posting schedule

Customization (IMPORTANT)

Before using this skill, customize these files for your niche:

Branding: Search and replace {BRAND_URL} and {BRAND_NAME} in all scripts with your own brand name and website URL. These appear as watermarks and CTAs in generated videos and captions.
Content pools: formatter.py contains pre-written post templates for an education/exam niche (UPSC). Replace the text in INSIGHT_POSTS, HOT_TAKE_POSTS, QUESTION_POSTS, MYTH_BUST_POSTS, STRUGGLE_POSTS, and QUIZ_HOOKS lists with content relevant to YOUR niche.
Data: Replace data/questions.csv with your own content database.

Security Notes

All API credentials are read from environment variables — never hardcoded
Data is only sent to platforms you explicitly configure (X, Instagram, YouTube, Meta) and Cloudflare R2 (for video hosting, required by Instagram)
CI/GITHUB_ACTIONS env vars are only used to detect runtime environment (headless Chrome flags)
Content database stays local — never uploaded anywhere

Comments

Loading comments...