Openclaw Social Scheduler — 技能工具
v0.1.0[自动翻译] Schedule and post text, media, and threads to Discord, Reddit, Twitter/X, Mastodon, Bluesky, and Moltbook via API with immediate or scheduled publishi...
0· 2,366·10 当前·10 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's claimed purpose (a multi‑platform social scheduler) largely matches the code and docs, but there are inconsistencies around credential handling and installation that warrant caution before installing or enabling it.
评估建议
This skill appears to implement the described multi-platform scheduler, but review the following before installing:
- Credentials: The skill expects platform API tokens/keys (Twitter, Reddit, Mastodon, Bluesky, Moltbook, Discord webhooks). The registry metadata declares no required env vars/config paths, yet the docs and examples expect config JSON files or .credentials/*.json. Confirm there are no hardcoded or bundled credentials in the package (search for strings like 'moltbook_sk_' or other ...详细分析 ▾
ℹ 用途与能力
The skill implements a multi‑platform social scheduler (Discord, Reddit, Twitter/X, Mastodon, Bluesky, Moltbook) and includes platform modules and media upload code consistent with that purpose. However the registry metadata declares no required environment variables or config paths while the documentation and code expect user-provided API keys/config JSON files (and contain references to a local '.credentials/moltbook.json'), which is an inconsistency between declared requirements and actual usage.
ℹ 指令范围
SKILL.md instructs agents/users to run npm install and node scripts (post.js, schedule.js, upload-media.js, etc.) and provides examples that reference local config files and environment variables (e.g., process.env.WORKSPACE_ROOT). The instructions do not explicitly instruct wide system scanning or exfiltration, but they do rely on reading local credential files and env vars that are not declared in the registry metadata — the agent will need to read/store API credentials to function.
ℹ 安装机制
There is no registry install spec; the README and SKILL.md require running 'npm install' which pulls multiple npm packages (twitter-api-v2, @atproto/api, mastodon-api, node-fetch, form-data, etc.). Pulling from npm is expected for a Node CLI but is a moderate‑risk install vector compared with instruction‑only skills. The package-lock is present and shows legitimate, traceable npm packages rather than suspicious download URLs.
⚠ 凭证需求
Although the registry lists no required env vars or config paths, the code/docs require per‑platform credentials (API keys, OAuth tokens, webhook URLs) passed via JSON files, CLI args, or environment variables. More concerning: build notes claim '.credentials/moltbook.json' exists and 'we have' working credentials — this could mean the build expected or referenced local credential files. The skill does not justify asking for unrelated secrets, but the lack of declared config paths vs. the runtime need to read credential files is an incoherence that could lead to accidental credential exposure if default paths are used.
✓ 持久化与权限
The skill does not request always:true and will not be force‑included; it is user‑invocable and allows autonomous invocation (platform default). It does not appear to modify other skills or system configs. Running a scheduler daemon is normal for its purpose and does not by itself indicate excessive privilege.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/2/4
Initial public release—free, open-source post scheduler for bots & agents: - Schedule posts across Discord, Twitter/X, Mastodon, Bluesky, Reddit, and Moltbook. - Media upload support for images/videos (Twitter/X, Mastodon, Bluesky). - New: Post and schedule full threads on Twitter, Mastodon, and Bluesky with automatic chaining. - Includes scheduling, immediate post, queue management, and post cancellation features. - Platform-specific setup guides and examples included in documentation.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install openclaw-social-scheduler
镜像加速npx clawhub@latest install openclaw-social-scheduler --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制