Skillv0.3.0

ClawScan security

Powerpost · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 21, 2026, 6:29 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests, instructions, and required variables are consistent with a social‑media publishing integration that uses the PowerPost API; nothing in the package appears incoherent or unrelated to that purpose.
Guidance: This skill appears to do what it says: it calls powerpost.ai with the two declared credentials and uses curl to upload media, generate content, create drafts, and publish. Before installing: 1) Only provide a read_write API key if you trust automatic publishing — prefer a read_draft key if you want human review before posts go live. 2) Be aware that any files you upload and any research URLs you provide will be sent to powerpost.ai; do not include private/secrets-containing URLs or sensitive files. 3) The API key will be stored in your OpenClaw configuration if you use the suggested commands — treat it like any other secret (limit access, rotate/revoke if compromised). 4) Verify PowerPost account connections (connected social accounts) and the service's reputation/policy if you depend on it for publishing. If you want more assurance, ask for the vendor's privacy/security docs or run with a read_draft key first.

Review Dimensions

Purpose & Capability: okName, description, and declared requirements align: the skill talks to powerpost.ai, requires an API key and workspace ID, and uses curl to call the REST API for generation, media upload, drafts, calendar, and publishing. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope: noteSKILL.md instructs the agent to call powerpost.ai endpoints, upload local files (via curl -F file=@/path/to/file), poll generation endpoints, and optionally accept source URLs for research. These are all within the stated purpose, but they do mean user files and any provided URLs will be transmitted to the PowerPost API — and publishing occurs on the user's connected social accounts when a read_write API key is used. The docs explicitly say to show drafts and ask for confirmation before publishing, which is good practice.
Install Mechanism: okThis is instruction-only (no install spec, no code files to execute). The only runtime dependency is curl, which is plausible for the documented curl-based workflow. No downloads or archives are referenced.
Credentials: noteOnly POWERPOST_API_KEY and POWERPOST_WORKSPACE_ID are required, which is proportionate. However, the API key type determines capability: a read_write key allows autonomous publishing; a read_draft key prevents publishing. The user should be deliberate about which key type they provide and be aware the key will be stored in OpenClaw config if set that way.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request permanent elevated privileges or modify other skills' configs. Storing the API key/workspace ID in OpenClaw config is normal installer behaviour but is a persistence point the user should manage (rotate/revoke keys if needed).