ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Social Media Suite

v1.0.1

Automate social media posting to Instagram and YouTube. Schedule and publish images, videos, and content automatically. Social media automation tool for cont...

0· 469·2 current·2 all-time
byNEO@vitja1988
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the operations described in SKILL.md (Instagram image posts and YouTube uploads). The credential types requested in the instructions (Facebook/Instagram tokens and YouTube OAuth) are appropriate for those platforms.
!
Instruction Scope
SKILL.md instructs users/agents to run {baseDir}/run.sh auth and post commands, and to create credential files under {baseDir}/credentials/. However no run.sh or implementation scripts are included in the package. The document also asks the agent/user to operate on local files (video paths) and credential files — reasonable for the purpose, but the absence of the scripts that would perform these actions is an incoherence and a potential risk if you obtain those scripts from an unknown source.
Install Mechanism
No install spec and no code files are present. That minimizes automatic installation risk, but also means the skill is only documentation; any code you run will have to come from elsewhere and should be inspected.
Credentials
The skill does not request environment variables or unrelated credentials. It asks for platform-specific OAuth tokens/credential files, which are proportional to the stated functionality. Note: it recommends storing tokens in files under {baseDir}/credentials — consider file permissions and secure storage.
Persistence & Privilege
always is false and model invocation is permitted (platform default). The skill does not request persistent system-wide privileges or modify other skills. The main concern is missing implementation rather than elevated privileges.
What to consider before installing
This package is documentation for a social-media automation tool, not an executable skill — there are no scripts included (no run.sh, instagram_poster.sh, or youtube_uploader.sh). Before using: 1) Ask the publisher for the actual implementation code or a trustworthy source (homepage/repo) and review that code yourself. 2) Never run scripts obtained from untrusted sources without auditing them; they could read or exfiltrate credentials or files. 3) If you create/store tokens as files, set strict filesystem permissions and prefer short-lived or scoped credentials where possible. 4) Prefer official OAuth flows and limit scopes (e.g., only content_publish). 5) If you want this skill to run in an agent, require the author to provide verifiable code and an install spec (or provide a vetted package) so you can audit what will run. If those things are not provided, treat the skill as incomplete and avoid running or sourcing third‑party run.sh scripts.

Like a lobster shell, security has layers — review code before you run it.

automationvk97apqdn33ekh34nvkttt28tw581xrtkcontent-creationvk97apqdn33ekh34nvkttt28tw581xrtkinstagramvk97apqdn33ekh34nvkttt28tw581xrtklatestvk97apqdn33ekh34nvkttt28tw581xrtkmarketingvk97apqdn33ekh34nvkttt28tw581xrtkpostingvk97apqdn33ekh34nvkttt28tw581xrtksocial-mediavk97apqdn33ekh34nvkttt28tw581xrtkyoutubevk97apqdn33ekh34nvkttt28tw581xrtk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚀 Clawdis

Comments