ClawHub

Boring Threads Publisher

v1.0.3

Publish posts and threads to Threads (by Meta) using Boring. Use when the user says 'post to Threads', 'create a thread', 'publish thread', 'write a Threads...

0· 93·0 current·0 all-time
by@snoopyrain
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is an instruction-only connector for publishing to Threads via Boring. The sole required credential (an MCP Connector link that contains an embedded auth token) matches the described architecture and is necessary for Boring to act on the user's behalf.
Instruction Scope
Instructions are narrowly scoped to listing accounts, preparing media, splitting long content, and calling Boring endpoints (publish/list/upload). They do instruct uploading local files or re-hosting URLs to Boring's Google Cloud Storage, which means user files and post content will be transmitted to a third-party service — this is expected for the stated purpose but is a privacy/data‑exfiltration consideration.
Install Mechanism
No install step or code is included (instruction-only), so nothing is downloaded or written to disk by the skill itself. This lowers code-execution risk but also means there is no local code to audit.
Credentials
No environment variables are requested. The single required credential is the MCP link (embedded token) stored as a Connector. That is proportionate to the function, but it is a high-value secret — if compromised it grants the third party (Boring) ability to publish as the connected account.
Persistence & Privilege
always:false and default model invocation are set; the skill is not force-installed and does not request persistent system-level privileges or modify other skills. Autonomous invocation is permitted by the platform default, which is expected for skills.
Assessment
This skill appears to do what it says, but before installing or connecting your account consider: (1) The MCP Connector URL contains an embedded auth token — treat it like a password. Only paste it into systems you trust and be prepared to revoke/regenerate it if needed. (2) Using the skill will upload any local media and post content to Boring's servers (re-hosted in Google Cloud Storage) before publishing to Threads — do not upload sensitive files or secrets. (3) Verify the Boring documentation and domain (boring-doc.aiagent-me.com) and confirm the connector URL matches that vendor. (4) If you want tighter control, avoid enabling autonomous invocation or limit the agent's permissions so posts require explicit user confirmation. (5) Because this is instruction-only (no code to inspect), you cannot locally audit behavior beyond the provided docs — if you need stronger assurances, request a verifiable code package or official integration documentation from the vendor.

Like a lobster shell, security has layers — review code before you run it.

latestvk9744m01wpgsv5ty7dfa82arcn83p8es

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧵 Clawdis
ConfigMCP Connector link from boring.aiagent-me.com (contains embedded auth token)

Comments