Social Media Suite
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill matches its social-posting purpose, but it asks for publish-capable social account credentials while the runnable implementation is missing and posting safeguards are not clearly defined.
Review carefully before installing. This skill is meant to control social media accounts, so only use it with accounts you are comfortable automating, require manual approval for every post, and do not place long-lived tokens or OAuth files in the skill directory until the actual implementation code is available and reviewed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials are mishandled or the skill is invoked incorrectly, content could be posted or account access used in ways the user did not intend.
These credentials can authorize posting and account access on Instagram and YouTube. That is expected for the stated purpose, but the metadata declares no credential contract and the docs do not clearly bound YouTube scopes, storage protections, or revocation handling.
A Facebook App with the necessary permissions: `instagram_basic`, `instagram_content_publish`, `pages_show_list`, `pages_read_engagement` ... A long-lived **User Access Token** ... `youtube_credentials.json`
Use least-privilege OAuth scopes, dedicated accounts where possible, secure the credentials directory, and revoke tokens if you uninstall or stop using the skill.
An agent could publish unwanted, incorrect, or brand-damaging posts if given credentials and allowed to run the posting command without careful user review.
The documented workflow can publish content to public-facing social channels, but the artifacts do not require explicit confirmation, preview, or other safeguards before high-impact account mutation.
**Post to Instagram and YouTube automatically.** ... `bash {baseDir}/run.sh post --platform instagram` ... `--privacy "public"`Require explicit user approval for every post or upload, test with private/unlisted settings first, and avoid enabling autonomous posting for sensitive accounts.
Users cannot verify what code would handle their social account credentials or publish content, and the documented commands may fail or later rely on unreviewed code.
The provided package contains only SKILL.md, but the documented credential handling and posting flows depend on a missing runner script. The sensitive implementation that would use tokens and publish content is not available for review.
The actual logic would be implemented in a `run.sh` script ... A simplified `run.sh` might look like this
Do not add credentials until the actual runner and platform-specific code are present, pinned, and reviewed; the registry metadata should also declare the credential requirements.