by 安全扫描
OpenClaw
可疑
high confidenceThe skill's code and runtime instructions expect a Buffer API key and an npm install, but the registry metadata omits required environment variables and an install step — this mismatch is concerning and should be resolved before trusting the skill.
评估建议
This skill appears to be a legitimate Buffer CLI implementation, but there are important inconsistencies you should address before installing:
1) Metadata vs reality: the registry metadata does NOT declare the BUFFER_API_KEY env var or an install step, yet SKILL.md and code require you to run 'npm install' and set BUFFER_API_KEY in .env. Treat that as a red flag — confirm the skill's source and intent with the publisher before running it.
2) Verify origin: the skill lists no homepage and the r...详细分析 ▾
ℹ 用途与能力
Name, description, SKILL.md and source files consistently implement a Buffer CLI that talks to Buffer's GraphQL API. However the registry metadata claims 'Required env vars: none' and 'No install spec — instruction-only' while the SKILL.md and code clearly require BUFFER_API_KEY/.env and expect 'npm install'. That metadata omission is incoherent with the actual capability.
✓ 指令范围
SKILL.md and the code instruct the agent to read a local .env, validate BUFFER_API_KEY, call Buffer's API, and optionally read local image files (validated via existsSync). The instructions do not request unrelated files, other credentials, or unexpected external endpoints beyond Buffer and referenced developer docs.
ℹ 安装机制
There is no registry install spec but the package includes full Node.js source, package.json, and package-lock.json and SKILL.md tells users to run npm install. This is not inherently malicious, but the mismatch (no declared install but code present) is a sign to verify origin before running npm install from an untrusted skill.
⚠ 凭证需求
The runtime requires BUFFER_API_KEY (and optionally BUFFER_API_URL) per SKILL.md and lib/config.js, but the registry metadata lists no required env vars or primary credential. Requesting a single Buffer API key is proportionate for a Buffer integration, but the metadata omission increases risk (users might not realize a secret will be used).
✓ 持久化与权限
Skill is not always-enabled and does not request persistent system-wide privileges. It does not modify other skills or system configs; autonomy is allowed by default but does not combine with other privilege red flags here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/4
Initial release: Buffer social media scheduling skill
● 无害
安装命令 点击复制
官方npx clawhub@latest install buffer-social
镜像加速npx clawhub@latest install buffer-social --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制