← Back to Skills Marketplace
269
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install social-reply-bot
Description
Reddit & X/Twitter auto-reply bot for ecommerce/SaaS growth. Finds relevant posts about AI customer service, Amazon FBA, Shopify — posts genuine AI-generated...
Usage Guidance
Key things to check before installing:
- The registry metadata omits requirements the code needs (it uses ANTHROPIC_API_KEY and the 'browse' CLI). Treat SKILL.md/README as authoritative and double-check they match what the installer will do.
- Do NOT run curl ... | bash without inspection. Download install.sh and setup.sh from the repo and read them locally (or run them in an isolated VM/container) before executing.
- The tool requires you to log into Reddit/X in an automated browser session; that gives the software the ability to post using your accounts. This can lead to account suspension if behavior violates platform policies. Consider using throwaway/test accounts first.
- The installer registers a macOS LaunchAgent (persistent scheduled runs) and creates files under your home directory — if you don’t want persistent background jobs, skip the installer and run the code manually in a controlled environment.
- The code contains hard-coded checks/strings (e.g., account names like 'mguozhen', 'VocAiSage', 'Hunter Guo') that indicate it was tailored to the author’s accounts; expect to review and adapt code before using it with your accounts.
- Limit the Anthropic API key you use (billing/permissions) and monitor usage. If possible create a dedicated key with strict limits.
- If you lack confidence auditing the install scripts or the code, run the project in an isolated VM or container (or avoid installing) and/or ask the author to provide a reproducible install manifest and to fix the registry metadata mismatches.
Capability Analysis
Type: OpenClaw Skill
Name: social-reply-bot
Version: 1.2.0
The bundle implements a social media automation bot with several high-risk behaviors and security vulnerabilities. Most critically, `bot/browser.py` contains a shell injection vulnerability where it executes commands via `subprocess.run(shell=True)` using unsanitized string interpolation in functions like `type_text`. The installation scripts (`install.sh` and `setup.sh`) establish persistence on macOS by creating a `LaunchAgent` and insecurely store the `ANTHROPIC_API_KEY` in a local plist file. Additionally, the `SKILL.md` file contains instructions for the AI agent to execute a remote script via `curl | bash` (from `raw.githubusercontent.com`), which is a high-risk pattern for remote code execution and prompt injection.
Capability Tags
Capability Assessment
Purpose & Capability
The skill claims to be a social auto-reply bot (Reddit + X) which legitimately needs a Claude/Anthropic API key and a browser automation CLI, and the code uses those. However the registry metadata declares no required environment variables or binaries while SKILL.md and the source require ANTHROPIC_API_KEY and the 'browse' CLI. That mismatch between declared requirements and actual code/instructions is incoherent and should be clarified.
Instruction Scope
SKILL.md instructs you to run a one-line installer (curl | bash) from the GitHub repo and to log into your Reddit and X accounts in a browse-controlled Chrome window. The runtime instructions and code will automate browsing, click Google OAuth selectors, post comments, and run a Reddit 'warmup' mode that posts multiple comments. These actions stay within the stated purpose but require interacting with your logged-in browser sessions and performing automated posts — a high-impact capability that should be explicitly acknowledged.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md/README direct users to curl the project's install.sh from raw.githubusercontent.com and pipe it to bash. Although hosted on GitHub (better than a personal IP), piping remote install scripts to shell is high-risk and the installer is described as cloning the repo, installing dependencies, initializing an SQLite DB, and registering a macOS LaunchAgent. You should inspect install.sh and setup.sh before running them.
Credentials
The code explicitly requires ANTHROPIC_API_KEY (and optionally BROWSERBASE_API_KEY / PROJECT_ID). The registry metadata listed no required env vars or primary credential, which is inaccurate. Those environment variables are necessary for the bot to function (AI generation and optional persistent browser sessions). No other unrelated credentials are requested in the code, which is proportionate — but the metadata mismatch is problematic.
Persistence & Privilege
The installer will (per README) register a macOS LaunchAgent to run daily and create files under ~/social-bot and a logs directory; the repo includes install/setup scripts that likely modify your system (install global npm packages, register scheduled jobs). The skill does not claim always:true, but it does request persistent scheduled execution on install — review and approve that behavior before installing.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install social-reply-bot - After installation, invoke the skill by name or use
/social-reply-bot - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
Redesigned README: professional layout with badges, screenshots, architecture diagram, FAQ, and comprehensive English documentation
v1.1.0
**Reddit account warmup and lead tracking features added**
- Added Reddit warmup: build account karma by posting comments in low-moderation subs (natural delays, no product mentions)
- Introduced lead tracking: analyze replied posts for customer potential, scoring and extracting business details
- Dashboard and CLI updated to support new commands: `warmup`, `leads`
- Refined product description and trigger keyword config in documentation
- Removed dashboard code and legacy setup script for a more streamlined core
- Updated setup instructions for easier installation
v1.0.1
Fix Reddit navigation: open_url return, proper content extraction, stable comment-link nav
v1.0.0
Initial release: Reddit & X auto-reply with AI-generated responses
Metadata
Frequently Asked Questions
What is Social Reply Bot?
Reddit & X/Twitter auto-reply bot for ecommerce/SaaS growth. Finds relevant posts about AI customer service, Amazon FBA, Shopify — posts genuine AI-generated... It is an AI Agent Skill for Claude Code / OpenClaw, with 269 downloads so far.
How do I install Social Reply Bot?
Run "/install social-reply-bot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Social Reply Bot free?
Yes, Social Reply Bot is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Social Reply Bot support?
Social Reply Bot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Social Reply Bot?
It is built and maintained by mguozhen (@mguozhen); the current version is v1.2.0.
More Skills