Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Social Media Manager
v1.1.0Automate high-engagement 6-slide TikTok carousels using AI-generated consistent images and Postiz API for draft scheduling and notification.
⭐ 0· 1.3k·17 current·17 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly targets Postiz and AI image generation which is consistent with a 'Social Media Manager'. However the registry metadata declares no required credentials or primaryEnv even though the instructions require a Postiz API key and references to AI image models. Also the instructions use curl but the skill metadata lists no required binaries. These omissions are incoherent with the described capability.
Instruction Scope
Runtime instructions include concrete API calls (upload, posts, integrations) and example curl commands that expect an API key (Authorization: <KEY>) and files on disk. The SKILL.md does not instruct the agent to read unrelated system files, but it does assume access to generated media files, platform integration IDs, and external AI image models — none of which are covered in the declared requirements. The instructions also give broad discretion to 'use AI' without specifying which service/credentials to use.
Install Mechanism
This is an instruction-only skill (no install spec, no code), which is lower risk for on-disk changes. However the runtime examples rely on curl and file uploads; the absence of declared required binaries is a mismatch (curl may not be present or available in the runtime environment).
Credentials
The skill clearly requires at least a Postiz API key (used in Authorization headers) and likely API access for AI image generation, yet requires.env and primary credential fields are empty. Asking the user to provide an all-powerful Postiz key (which can post to all connected platforms) is a sensitive capability and should be declared and justified. The current metadata omits these sensitive requirements.
Persistence & Privilege
The skill does not request permanent presence (always: false) and does not declare modifications to other skills or system-wide settings. Autonomous invocation is allowed (default) which increases impact if credentials are supplied, but that is platform default rather than a new privilege.
What to consider before installing
This skill's instructions assume you have a Postiz API key and access to AI image-generation APIs and that curl (or equivalent) is available, but the registry metadata doesn't declare any required credentials or binaries — that's an inconsistency you should resolve before installing. Ask the author to: (1) explicitly declare required environment variables (Postiz API_KEY, any image-model keys) and list required binaries (e.g., curl); (2) explain exactly how and where you supply your Postiz key (will the skill store it? will it send it elsewhere?); (3) provide a homepage or source so you can audit or test in a sandbox. Until those are clarified, avoid granting a universal Postiz API key to an untrusted/unknown skill because it could publish across all your connected platforms. If you proceed, test with a Postiz account that has only test/draft permissions and do not share production credentials until you're satisfied with the behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk976k24epfcfcan4wwkjrjf9mx818bca
License
MIT-0
Free to use, modify, and redistribute. No attribution required.