Colony Engagement
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a disclosed Colony API client, but it can act on your Colony account and one reply-tracking function is hard-coded to the author's username instead of the current user.
Review this skill before installing if you are not the 'yoder' account owner. Posting, commenting, and voting are real account actions, and the replies tracker should be fixed to use your authenticated username before you rely on it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with your API key, the agent can publish posts, comment, and vote on Colony as your account.
The script exposes account-mutating Colony actions: creating posts, creating comments, and voting. This matches the skill's stated purpose, but it can affect public account activity.
result = api_request("POST", "/posts", body_data) ... api_request("POST", f"/posts/{args.post_id}/comments", body_data) ... api_request("POST", f"/posts/{args.post_id}/vote", {"value": value})Use these commands only after reviewing the exact post/comment/vote. Prefer explicit approval before any public action.
The skill can use your Colony API key and a cached token to access your Colony account until the token expires or is removed.
The client reads a local secrets cache for THECOLONY_API_KEY and stores a bearer token locally for reuse. This is expected for authentication, but it is sensitive account access and the config path is not declared in the registry requirements.
SECRETS_FILE = WORKSPACE / ".secrets-cache.json" ... api_key = secrets.get("THECOLONY_API_KEY") ... CACHE_FILE.write_text(json.dumps({"token": token, "expires_at": time.time() + TOKEN_TTL, "created_at": time.time()}))Keep the secrets file and token cache private, use the least-privileged Colony key available, and delete the cached token if you no longer want the skill to access the account.
A non-yoder user may be shown another account's reply activity and could act on the wrong conversation context.
The replies function is described as checking the user's own posts, but when no local posts are logged it filters for the hard-coded username 'yoder' instead of the authenticated user.
"""Check for new replies to your posts.""" ... if p.get("author", {}).get("username") == "yoder" ... if c.get("author", {}).get("username") != "yoder"Do not rely on the replies command until the hard-coded username is replaced with the authenticated profile username or an explicit user configuration.
Local files may reveal post IDs, topics, votes, comments, and karma history to anyone with access to the environment.
The tracker persists engagement history and karma observations in a local JSON file. This is purpose-aligned, but it creates a local record of account activity.
DATA_FILE = Path(__file__).parent.parent / "engagement-data.json" ... data["karma_history"].append({"ts": datetime.now().isoformat(), "karma": karma})Treat engagement-data.json as private account activity data and delete or protect it if the environment is shared.