ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AutoPost GitHub Bounty

v1.0.0

Automatically generate and post optimized social media content promoting GitHub bounty campaigns using repo data and custom messages.

0· 46·0 current·0 all-time
by@vut08905
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to 'send posts' to Twitter/Facebook/etc., but autopost.js only fetches repository details from the GitHub API and logs a message; there is no implemented platform integration. SKILL.md asks for social API tokens, but the package metadata lists no required env vars — capabilities and declared requirements do not match.
!
Instruction Scope
SKILL.md tells the user to run with flags like --repo and --platform, but autopost.js reads raw process.argv positions (no flag parsing), so the example invocation is incorrect. The instructions say GitHub and social API tokens are required but do not explain how to provide them (.env usage is not mentioned), while the code uses dotenv and reads process.env.GITHUB_TOKEN. The runtime instructions are vague and inconsistent with the actual code behavior.
Install Mechanism
There is no custom install script; dependencies are standard npm packages (axios, dotenv) with package-lock referencing npm registry URLs. No external or unusual download URLs or archive extraction were present in the manifest.
!
Credentials
Registry metadata lists no required env vars, but autopost.js expects GITHUB_TOKEN (via process.env) and uses dotenv. SKILL.md additionally requests social platform tokens that the code does not use. Environment variable requirements are under-declared and misaligned with both the README and the code.
Persistence & Privilege
The skill does not request always:true, does not modify system or other skills, and does not declare persistent system-level privileges. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges.
What to consider before installing
This skill is inconsistent: it advertises automatic multi-platform posting but the code only reads a GitHub repo and prints a composed message. Before running or providing any credentials: (1) don't supply API tokens until you audit the code — the registry didn't declare required env vars but the script reads GITHUB_TOKEN via dotenv; (2) verify and fix the invocation (the script doesn't parse --repo/--platform flags as shown); (3) if you need actual posting, inspect or implement the platform-specific APIs yourself rather than trusting this package; (4) run npm install and execute only in a sandboxed environment or CI runner you control; (5) review package-lock for suspicious third-party packages and consider pinning or replacing dependencies. Because of these mismatches and missing documentation, treat the package as untrusted until you confirm its behavior and provenance.
autopost.js:11
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d3warsafxaqt89cfppfryrd84mxnn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments