ClawHub

Social media autopilot

v1.0.2

Social media autopilot API skill for querying team, account list, article list, and report endpoints using team API key. Use for integration checks and data...

0· 23·0 current·0 all-time
by@socialecho-net
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name, SKILL.md, OpenAPI spec and CLI code all align: the scripts perform GET calls to team/account/article/report endpoints and require a Team API key passed at runtime. Minor metadata mismatch: registry owner ID (kn7ax...) differs from _meta.json.ownerId (socialecho-net) and there is no homepage — you may want to verify publisher identity before trusting keys.
Instruction Scope
SKILL.md instructs the agent/user to run the provided CLI scripts with explicit --api-key and optional --base-url/--team-id/--lang; the code only reads process.argv and calls the declared API endpoints. There are no instructions to read unrelated files/env vars or to transmit data to unexpected endpoints.
Install Mechanism
There is no install spec; this is effectively instruction + bundled Node CLI files (no external downloads or npm dependencies). That reduces install-time risk.
Credentials
The runtime requires a Team API key (passed via --api-key) which is appropriate for the described API calls. The skill declares no required environment variables — the key is a CLI argument. Consider that whoever/whatever invokes these scripts must supply the API key; ensure your agent or CI won't leak keys to unintended endpoints.
Persistence & Privilege
The skill does not request persistent privileges (always:false). It does not modify system or other-skill configurations and has no install-time hooks that demand elevated access.
Assessment
This package appears coherent and implements a simple CLI client for SocialEcho's public API. Before installing or using it: 1) Verify the publisher (registry owner ID vs _meta.json differ and there's no homepage) — only provide real team API keys to code from a trusted source. 2) Run the scripts in a controlled/dev environment first (use --base-url api-dev) and test with a limited/dev API key. 3) Be aware you must supply the Team API key to the script at runtime; ensure the agent or automation invoking the CLI won't accidentally forward that key to an attacker-controlled base-url. 4) Review the included client.js yourself — it prints the response body and URL (this can reveal query params or endpoints) so avoid passing sensitive values in ways that could be logged by downstream systems.

Like a lobster shell, security has layers — review code before you run it.

latestvk9705h1tx68x5erevey2d4ayv584r7q1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments