ClawHub

Social media autopilot

v1.0.3

SocialEcho social media management API skill for querying team, account list, article list, and report endpoints using team API key. Use for integration chec...

0· 47·0 current·0 all-time
by@socialecho-net
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim to call SocialEcho team/account/article/report endpoints; included JS files (team.js, account.js, article.js, report.js, client.js) implement exactly those GET calls to /v1/team, /v1/account, /v1/article, /v1/report. No unrelated services, binaries, or env vars are requested.
Instruction Scope
SKILL.md instructs using explicit CLI options (--api-key, --base-url, --team-id, --lang) and shows the same commands implemented by the scripts. The code only parses CLI args, performs GET requests to the declared base URLs, and prints the JSON response. It does not read files, environment variables, or other system configuration.
Install Mechanism
No install spec in registry; skill is instruction+code only. package.json lists no dependencies and Node >=18 is required. 'npm ci' is suggested but will not fetch third-party packages (dependencies empty). No external downloads or archive extraction are used.
Credentials
The skill requires a Team API key at runtime (via --api-key), which is proportionate to the described API-calling purpose. Registry metadata did not declare a primary credential or required env vars — this is not harmful but is a minor metadata inconsistency: the API key is expected as a CLI argument rather than an environment variable.
Persistence & Privilege
always:false and no install-time actions that modify system-wide configuration. The skill does not request persistent privileges or modify other skills' configs.
Assessment
This skill appears to do only what it says: make read-only GET calls to SocialEcho endpoints and print the responses. Before installing/use: only provide a Team API key you trust (pass it as the CLI arg as instructed), verify you are pointing at the expected base URL (default https://api.socialecho.net), and avoid giving production keys to untrusted environments. Note the registry metadata doesn't declare a primary credential even though the scripts require an API key via --api-key (this is a small metadata mismatch, not malicious). Ensure Node.js >=18 is used and run the CLI in an environment where network access to the SocialEcho API is acceptable.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fvferqf680hd8j47pjt2yg984rpsq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments