ClawHub

Social Media Agent

v1.0.0

Autonomous social media management for X/Twitter using only OpenClaw native tools. Use when a user wants to automate X posting, generate content, track engagement, or build an audience. Triggers on requests about tweets, social media strategy, X engagement, content calendars, or growing a following. No API keys required — uses browser automation and web_fetch.

10· 7.9k·55 current·56 all-time
by@psmamm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (automating X/Twitter via browser automation and scraping) matches the instructions: web_fetch for research, browser actions to compose/post, and memory for drafts/logs. Requiring no API keys is coherent because browser automation can operate on logged-in sessions. However, the skill implicitly expects access to a browser debugging endpoint (or OpenClaw's built-in browser), which is a powerful mechanism for accomplishing the stated goal and is not called out in the metadata.
!
Instruction Scope
The SKILL.md explicitly instructs connecting to Chrome with remote debugging OR using the built-in browser, taking snapshots, finding input elements, typing, clicking, and scheduling autonomous posts. Those steps require interacting with a live browser session and can access cookies, auth tokens, and other logged-in accounts. The instructions also encourage autonomous scheduled posting (cron + sessionTarget: 'isolated' + payload.kind: 'agentTurn'), which could lead to actions executed without further user confirmation.
Install Mechanism
Instruction-only skill with no install spec and no code files. That minimizes disk write/execution risk. Nothing is downloaded or installed by the skill itself.
!
Credentials
No environment variables or credentials are requested, which at first glance is least-privileged. However, the instruction to use Chrome remote debugging (or a built-in browser) is an effective request for high-privilege access to the user's browser environment — access that can expose session cookies, tokens, and other accounts. This broad capability is not reflected in requires.env or other metadata and so is disproportionate to the innocuous description.
Persistence & Privilege
always:false (good), but the skill explicitly prescribes autonomous scheduling and isolated agent turns for posting. Autonomous invocation combined with browser-level access increases the blast radius: the agent could repeatedly post or interact without per-action user confirmation. The skill does not request persistent system configuration changes, nor does it modify other skills.
What to consider before installing
This skill appears to do what it says (automate X posts via browser automation), but it relies on connecting to a browser debugging session or using a built-in browser — that effectively gives the agent broad access to any accounts or cookies in that browser. Before installing or enabling it, consider: - Only allow the skill to control a browser profile or instance you explicitly dedicate to automation (preferably a throwaway/test account), not your primary browser profile. - Avoid enabling Chrome remote debugging on a browser that holds other logins. If remote debugging is required, limit it to a controlled instance and close it when not in use. - Require manual confirmation for each publish action (do not rely solely on scheduled autonomous posts) until you trust the skill. - Review and test in a disposable account to confirm behavior and that it doesn't access other sites or data. - Be aware of platform terms of service: browser automation that scrapes or automates actions can violate X/Twitter rules. Given these combined concerns (browser-level access + autonomous posting), treat the skill as suspicious unless you can constrain its browser access and require explicit user approvals for posting.

Like a lobster shell, security has layers — review code before you run it.

latestvk979g2qp4wg7497pzthgck72r180thbn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments