Back to skill
Skillv1.0.3
ClawScan security
Supapost · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 11:58 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose, single required credential (SUPAPOST_API_KEY), and runtime instructions are internally consistent and proportionate to a Supapost MCP integration.
- Guidance
- This skill appears to do what it claims, but before installing: (1) Verify you trust supapost.so and the developer links (check the GitHub repo and the developer settings page) because media and post content will be sent to their MCP server. (2) Treat SUPAPOST_API_KEY like any secret: create a scoped/limited key if possible, avoid pasting it into terminals (which can go into shell history), and be aware it will be stored in your MCP client config (e.g., ~/.cursor/mcp.json) if you follow the documented steps. (3) Confirm what data will be sent to Supapost (images, prompts, scheduled metadata) and whether that matches your privacy/compliance needs. (4) If you are concerned about autonomous usage, note the platform default allows the agent to invoke the skill; restrict or disable autonomous invocation in your agent settings if necessary. (5) Rotate or revoke the key if you suspect exposure and inspect the linked repository and docs for any additional implementation details before trusting the integration.
Review Dimensions
- Purpose & Capability
- okName/description (AI image/video, slides, scheduling, influencer management) align with the things the SKILL.md describes and the single required env var (SUPAPOST_API_KEY). No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteThe SKILL.md is focused on using the Supapost MCP (list/generate/schedule/publish) and includes appropriate rules (confirm destructive actions, don't paste the API key). It instructs how to add an MCP entry (claude mcp add or editing ~/.cursor/mcp.json), which will store the Bearer token locally — that is expected but worth noting because it persists the key in local config. Also the doc suggests adding the header inline (shell usage) which can end up in shell history if users paste the key directly.
- Install Mechanism
- okInstruction-only skill (no install spec, no code files). No downloads or archive extraction. Lowest-risk install posture for this type of integration.
- Credentials
- okOnly SUPAPOST_API_KEY is required and this is the expected credential for the described MCP-based API. The SKILL.md documents that keys start with sp_ and instructs not to expose the key.
- Persistence & Privilege
- noteSkill is not always-enabled and does not request unusual system privileges. However, using the documented MCP client commands will store the Bearer token in an MCP client config (e.g., ~/.cursor/mcp.json or the client's config). This local persistence is normal for MCP clients but users should be aware that the API key will be present in that file/config until removed.