Social Content Generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The included script is a coherent social-post generator, but it sends prompts to OpenAI and the documentation mentions optional credentials and helper scripts that are not fully declared or included.
This looks safe for generating local draft posts and images. Before installing, note that AI mode sends prompts to OpenAI, keep API keys private, and do not provide social-media access tokens or run additional calendar/upload scripts unless you have reviewed those files separately.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Some advertised workflows may fail or may require obtaining additional unreviewed code.
The documentation references helper scripts for bulk calendars and uploading, but the provided manifest only includes scripts/generate_post.py and SKILL.md. This is not evidence of malicious behavior, but it is an incomplete provenance/install picture.
python scripts/generate_calendar.py ... ### upload_post.py (Optional)
Use the included generate_post.py as reviewed here, and review any added calendar or upload scripts before running them.
If mishandled, API keys or social tokens could expose billing access or allow actions on social accounts.
The documentation mentions API keys and social-platform access tokens even though the registry metadata declares no credentials. These credentials are purpose-aligned for AI generation or optional uploading, but they are sensitive.
OPENAI_API_KEY=sk-... TWITTER_BEARER_TOKEN=... TWITTER_API_KEY=... INSTAGRAM_ACCESS_TOKEN=... LINKEDIN_ACCESS_TOKEN=...
Use restricted API keys, keep .env files private, and do not provide social-platform tokens unless you have reviewed the uploader implementation and intend to use it.
Topics, prompts, and brand details entered into the generator may be sent to OpenAI.
The script sends the user-provided topic and image prompt to OpenAI for text and image generation. This is disclosed and aligned with the skill purpose, but it is still an external provider data flow.
client.chat.completions.create(... messages=[{"role": "user", "content": prompt}] ...) ... client.images.generate(model="dall-e-3", prompt=prompt, ...)Avoid putting confidential information in topics or prompts unless you are comfortable sending it to the provider; use the --no-ai option for template-only text generation.