Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Indie App Marketing Pipeline
v1.0.0Template-driven multi-platform content pipeline for indie iOS developers. Generates and schedules a full week of social posts (TikTok, YouTube Shorts, X/Twit...
⭐ 0· 59·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims to schedule social posts via Postiz and requires node + POSTIZ_API_KEY — exactly what the scripts use. Required files, prompts, and integration IDs all match the marketing/scheduling purpose.
Instruction Scope
SKILL.md and the scripts explicitly instruct the agent/user to create a local directory, configure Postiz integration IDs, edit a content bank, run the weekly planner and daily publisher, and optionally run a video-gen script. The scripts read local files (.env, config.json, content-bank.json, posting-history.json) and call Postiz — all within the described scope. No hidden network endpoints or extra data-collection steps are present.
Install Mechanism
There is no remote install or arbitrary downloader. This is an instruction+script package with no install spec; files are bundled in the skill. That lowers supply-chain risk compared with remote downloads.
Credentials
Only POSTIZ_API_KEY (and user-provided integration IDs stored in config) are required. That is proportional to scheduling posts via Postiz. The scripts read .env and config.json as expected and do not attempt to access unrelated credentials or system config paths.
Persistence & Privilege
always is false and the skill does not request persistent platform-wide privileges. setup.sh writes files into the chosen target directory (config.json, .env, posting-history.json) — confined to the user's chosen workspace and expected for this functionality.
Assessment
This package appears to do what it says: generate plans from a local content bank and post them to Postiz. Before installing/runing: 1) Review config.json/.env values and keep your POSTIZ_API_KEY secret; setup.sh writes the API key in plaintext to .env. 2) Run weekly-planner.js and daily-publisher.js with --dry-run first to confirm outputs and that findPlanForDate picks the expected plan. 3) The publisher will make live API calls unless you use --dry-run — only run live when ready. 4) If you set config.videoGen.script, daily-publisher will execSync that script (run arbitrary code) — only point it at code you trust. 5) Ensure your node version supports global fetch (Node 18+), or the scripts may fail. 6) If you use a self-hosted Postiz instance, double-check POSTIZ_URL in config. In short: behavior is coherent and expected, but treat the Postiz API key and any video-gen script as sensitive/trust decisions.scripts/daily-publisher.js:220
Shell command execution detected (child_process).
scripts/daily-publisher.js:75
Environment variable access combined with network send.
scripts/daily-publisher.js:55
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97af7jqns52tms9v080q60rtx83a946
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📲 Clawdis
Binsnode
EnvPOSTIZ_API_KEY