ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Reply Bot

v1.2.0

Reddit & X/Twitter auto-reply bot for ecommerce/SaaS growth. Finds relevant posts about AI customer service, Amazon FBA, Shopify — posts genuine AI-generated...

0· 242·0 current·0 all-time
by@mguozhen

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mguozhen/social-reply-bot.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Social Reply Bot" (mguozhen/social-reply-bot) from ClawHub.
Skill page: https://clawhub.ai/mguozhen/social-reply-bot
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install social-reply-bot

ClawHub CLI

Package manager switcher

npx clawhub@latest install social-reply-bot
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a social auto-reply bot (Reddit + X) which legitimately needs a Claude/Anthropic API key and a browser automation CLI, and the code uses those. However the registry metadata declares no required environment variables or binaries while SKILL.md and the source require ANTHROPIC_API_KEY and the 'browse' CLI. That mismatch between declared requirements and actual code/instructions is incoherent and should be clarified.
!
Instruction Scope
SKILL.md instructs you to run a one-line installer (curl | bash) from the GitHub repo and to log into your Reddit and X accounts in a browse-controlled Chrome window. The runtime instructions and code will automate browsing, click Google OAuth selectors, post comments, and run a Reddit 'warmup' mode that posts multiple comments. These actions stay within the stated purpose but require interacting with your logged-in browser sessions and performing automated posts — a high-impact capability that should be explicitly acknowledged.
!
Install Mechanism
There is no formal install spec in the registry, but SKILL.md/README direct users to curl the project's install.sh from raw.githubusercontent.com and pipe it to bash. Although hosted on GitHub (better than a personal IP), piping remote install scripts to shell is high-risk and the installer is described as cloning the repo, installing dependencies, initializing an SQLite DB, and registering a macOS LaunchAgent. You should inspect install.sh and setup.sh before running them.
!
Credentials
The code explicitly requires ANTHROPIC_API_KEY (and optionally BROWSERBASE_API_KEY / PROJECT_ID). The registry metadata listed no required env vars or primary credential, which is inaccurate. Those environment variables are necessary for the bot to function (AI generation and optional persistent browser sessions). No other unrelated credentials are requested in the code, which is proportionate — but the metadata mismatch is problematic.
!
Persistence & Privilege
The installer will (per README) register a macOS LaunchAgent to run daily and create files under ~/social-bot and a logs directory; the repo includes install/setup scripts that likely modify your system (install global npm packages, register scheduled jobs). The skill does not claim always:true, but it does request persistent scheduled execution on install — review and approve that behavior before installing.
What to consider before installing
Key things to check before installing: - The registry metadata omits requirements the code needs (it uses ANTHROPIC_API_KEY and the 'browse' CLI). Treat SKILL.md/README as authoritative and double-check they match what the installer will do. - Do NOT run curl ... | bash without inspection. Download install.sh and setup.sh from the repo and read them locally (or run them in an isolated VM/container) before executing. - The tool requires you to log into Reddit/X in an automated browser session; that gives the software the ability to post using your accounts. This can lead to account suspension if behavior violates platform policies. Consider using throwaway/test accounts first. - The installer registers a macOS LaunchAgent (persistent scheduled runs) and creates files under your home directory — if you don’t want persistent background jobs, skip the installer and run the code manually in a controlled environment. - The code contains hard-coded checks/strings (e.g., account names like 'mguozhen', 'VocAiSage', 'Hunter Guo') that indicate it was tailored to the author’s accounts; expect to review and adapt code before using it with your accounts. - Limit the Anthropic API key you use (billing/permissions) and monitor usage. If possible create a dedicated key with strict limits. - If you lack confidence auditing the install scripts or the code, run the project in an isolated VM or container (or avoid installing) and/or ask the author to provide a reproducible install manifest and to fix the registry metadata mismatches.

Like a lobster shell, security has layers — review code before you run it.

aivk97d5ckk2tw1nhe8wasn2ba7z184rggwgrowthvk97d5ckk2tw1nhe8wasn2ba7z184rggwlatestvk97d5ckk2tw1nhe8wasn2ba7z184rggwmarketingvk97d5ckk2tw1nhe8wasn2ba7z184rggwredditvk97d5ckk2tw1nhe8wasn2ba7z184rggwsocial-mediavk97d5ckk2tw1nhe8wasn2ba7z184rggwtwittervk97d5ckk2tw1nhe8wasn2ba7z184rggw
242downloads
0stars
4versions
Updated 1h ago
v1.2.0
MIT-0
@mguozhen
aigrowthlatestmarketingredditsocial-mediatwitter
Download

Social Reply Bot

Automatically finds and replies to relevant Reddit and X/Twitter posts about ecommerce, Amazon FBA, and AI customer service. Also builds Reddit account karma and tracks potential customer leads.

Commands

social reply bot                  # run both platforms
social reply bot x only           # X/Twitter only
social reply bot reddit only      # Reddit only
social reply bot warmup           # build Reddit karma (8 comments)
social reply bot warmup 15        # warmup with custom target
social reply bot leads            # show potential customers found
social reply bot stats            # today's stats
social reply bot dashboard        # open web dashboard

Setup

curl -fsSL https://raw.githubusercontent.com/mguozhen/social-bot/main/install.sh | bash

Requirements

  • browse CLI: npm install -g @browserbasehq/browse-cli
  • Log in to Reddit and X in the browse-controlled Chrome window
  • ANTHROPIC_API_KEY in .env

Features

Daily Reply Bot

  • Searches subreddits and X for posts matching your product keywords
  • Claude generates genuine, on-topic replies (not spam)
  • Browser automation — no Reddit/X API key needed
  • SQLite deduplication — never replies to the same post twice

Reddit Warmup (karma building)

  • Visits low-moderation subreddits (r/karma, r/CasualConversation, r/self)
  • Claude Haiku generates authentic short comments (no product mentions)
  • Natural delays between posts (90–180s)
  • Builds Comment Karma to unlock restricted subreddits

Lead Tracking

  • Every replied post analyzed by Claude for customer potential
  • Scored 1–10 with urgency level
  • Extracts business type and pain points
  • View with: social reply bot leads

Configuration

Edit ~/social-bot/config.json to set your subreddits, X search queries, product descriptions, and daily targets.

Comments

Loading comments...