Back to skill
Skillv1.3.0
ClawScan security
Social media autopilot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 27, 2026, 6:04 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The package is a coherent CLI wrapper for the SocialEcho API: it expects an explicit team API key passed at runtime, bundles straightforward Node.js scripts, and does not request unrelated credentials or perform unexpected network actions.
- Guidance
- The package appears to do what it says, but consider these practical cautions before installing or running it: (1) Protect your team API key — passing secrets on the command line can expose them via process listings on multi-user systems; prefer secure input methods or a short-lived key. (2) Inspect any publish payload JSON you pass ( --payload ) to avoid including private URLs or sensitive data. (3) The --base-url option can be changed at runtime; only point it at servers you trust. (4) Because the scripts will send requests to the configured base URL, verify the endpoint (default https://api.socialecho.net) and review network egress policies if running in a sensitive environment. (5) If you need higher assurance, run the bundle in an isolated sandbox or review the remaining truncated files before using in production.
Review Dimensions
- Purpose & Capability
- okName/description match the code and OpenAPI: the scripts implement team/account/article/report/upload/publish operations against https://api.socialecho.net. Required inputs (an API key, team id, base URL) are consistent with a social-media management integration.
- Instruction Scope
- okSKILL.md instructions stay within the stated purpose. It instructs using CLI options (--api-key, --base-url, --team-id, --lang) and Node >=18; the code reads a local payload file for publishing and prints results to stdout. The scripts do read local files only where expected (publish payload JSON, bundled markdown docs).
- Install Mechanism
- okNo install spec is provided and all source files are bundled. SKILL.md suggests running npm ci, but package.json has no external dependencies and there are no downloads or extract steps that would pull arbitrary remote code.
- Credentials
- okThe skill declares no required environment variables and the runtime expects an API key supplied via CLI argument. No unrelated credentials or system config paths are requested. The Authorization header is set to Bearer <api-key>, which is appropriate for this API.
- Persistence & Privilege
- okSkill is not always-on, does not request elevated privileges, and does not modify other skills or system agent configuration. It only reads/writes its own bundled files and stdout/stderr.