ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Media Manager

v1.1.0

社交媒体管理 - 多平台发布、定时发送、数据分析

0· 98·0 current·0 all-time
by@kaising-openclaw1

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kaising-openclaw1/xiaoming-social-media.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Social Media Manager" (kaising-openclaw1/xiaoming-social-media) from ClawHub.
Skill page: https://clawhub.ai/kaising-openclaw1/xiaoming-social-media
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install xiaoming-social-media

ClawHub CLI

Package manager switcher

npx clawhub@latest install xiaoming-social-media
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill advertises posting to multiple social platforms (知乎/小红书/公众号/微博/Twitter) and schedule/analytics features, but the package registry entry and SKILL.md declare no required environment variables, no primary credential, and no install steps. Real publishing to these services requires API keys/tokens or OAuth flows; those are not requested or described here, which is incoherent with the stated capabilities.
!
Instruction Scope
SKILL.md only shows example commands that call a 'clawhub' CLI (e.g., 'clawhub social post ...') but provides no runtime instructions for authentication, credential storage, or where data flows. README suggests installing via 'npx clawhub@latest install social-media-manager', but SKILL.md does not instruct agents to run that. The instructions are vague about how credentials are obtained, how scheduled jobs are persisted, and what endpoints are contacted—granting broad and unspecified discretion to the operator or implementer.
!
Install Mechanism
There is no install spec in the registry entry (instruction-only). However, README suggests using 'npx clawhub@latest install social-media-manager', which would fetch and run code from the npm registry at install time. That potential install-from-npm path is not visible in the skill bundle and is a higher-risk action if an agent or user follows it—yet the skill provides no explicit, vetted install mechanism or release source.
!
Credentials
The skill requests no environment variables or credentials despite needing to act on behalf of user accounts on multiple platforms. This is disproportionate: posting/scheduling/analytics normally require API credentials, OAuth client secrets, or access tokens. The absence of declared credentials is either an implementation omission or an attempt to hide how authentication is handled—both are suspicious.
Persistence & Privilege
The skill does not request always:true and is user-invocable with normal autonomous invocation settings. It does not declare any special persistence or cross-skill configuration changes in the bundle, so there are no elevated privileges requested in this dimension.
What to consider before installing
This skill appears incomplete or inconsistent: it claims to post and analyze across multiple social platforms but doesn't declare how it will authenticate or how to install the tool. Before installing or using it, ask the publisher for concrete details: (1) exactly how authentication is performed (which env vars/OAuth flows, where tokens are stored and who can read them), (2) a vetted install source or release URL (avoid running arbitrary 'npx' or curl commands without review), (3) what external endpoints are contacted and what data is sent, and (4) whether scheduled jobs, drafts, or credentials are stored remotely. If you need to proceed, prefer an implementation that requires explicit, scoped credentials per platform, provide least-privilege tokens, and review any install scripts (npm packages) before running them. If the publisher cannot clarify these points, do not install or grant access to your account credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d3tcwkjz5z7dawpadhgk2a585195z
98downloads
0stars
2versions
Updated 1w ago
v1.1.0
MIT-0
@kaising-openclaw1
latest
Download

Social Media Manager

社交媒体管理工具,一站式管理多个平台。

功能

  • ✅ 多平台发布 (知乎/小红书/公众号)
  • ✅ 定时发送
  • ✅ 数据分析
  • ✅ 内容日历
  • ✅ 互动管理

使用

# 多平台发布
clawhub social post --content "内容" --platforms zhihu,xiaohongshu

# 定时发送
clawhub social schedule --content "内容" --time "2026-04-18 09:00"

# 查看数据
clawhub social analytics --platform zhihu --days 7

定价

版本价格功能
免费版¥02 个平台,5 次/月
Pro 版¥129无限平台 + 定时
订阅版¥39/月Pro+ 数据分析

Comments

Loading comments...