← Back to Skills Marketplace
93
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install so-me-studio
Description
so-me.studio is a multi-platform social-media scheduler. Schedule posts, manage drafts, reply to inbox messages and post comments, generate AI captions/image...
Usage Guidance
This skill appears to be a CLI helper for the legitimate so-me.studio service and only requests the service API key, but proceed cautiously:
- Confirm identity: verify the npm package @so-me/cli and the publisher before installing (check the package page, author, and GitHub repo referenced by the package). The registry metadata/title mismatch ('Bundle' vs 'so-me-studio') is odd—ask the publisher or check the package source if unsure.
- Prefer browser OAuth over pasting keys: do not paste long API keys on the command line (they appear in shell history and may be visible to other processes). Use browser OAuth or set env vars in a secure session and avoid embedding keys in one-off CLI arguments.
- Limit key scope & rotate: if possible create and use a restricted API key with only the needed scopes and rotate it if you later revoke access.
- Audit webhook usage: the CLI can create webhook subscriptions with arbitrary URLs. If you allow the agent to create webhooks, make sure you control the target URL or understand where data will be sent.
- Least privilege for automation: when giving an agent the API key, consider using a test workspace or an account with limited permissions first.
If you want me to recommend specific checks (npm package verification steps, example least-privilege key scopes, or safer CLI usage patterns), I can provide them.
Capability Analysis
Type: OpenClaw Skill
Name: so-me-studio
Version: 0.1.2
The so-me-studio skill bundle is a comprehensive and well-documented integration for a social media management platform. It provides 143 tools for managing posts, analytics, and inbox communications across multiple platforms. The SKILL.md file includes proactive security instructions, explicitly telling the AI agent never to echo the SOMESTUDIO_API_KEY, which mitigates potential prompt-injection attacks aimed at credential theft. The bundle follows standard patterns for CLI-based agent skills, uses the official so-me.studio domain, and lacks any indicators of malicious intent, obfuscation, or unauthorized data exfiltration.
Capability Tags
Capability Assessment
Purpose & Capability
The SKILL.md describes the so-me.studio CLI and its social-media scheduling features and the declared required env var (SOMESTUDIO_API_KEY) aligns with that purpose. Inconsistencies: the top-level skill name in the registry is 'Bundle' while the SKILL.md and slug identify 'so-me-studio'; the registry metadata lists no required binaries even though the instructions assume an installable CLI (npm/pnpm global install). These look like packaging or metadata mistakes rather than outright misdirection, but they should be clarified.
Instruction Scope
Runtime instructions are narrowly scoped to invoking the so-me CLI commands (accounts:list, posts:create, ai:generate-*, inbox:reply, etc.). The instructions do not request unrelated file system access. Important operational details: the SKILL.md advises passing API keys directly on the CLI (`so-me auth:login --api-key ...`) or exporting them in env vars, and it documents creating webhook subscriptions (URL is a free-form field). Those actions can leak secrets (shell history/process lists) or be used to send account data to arbitrary endpoints if misused.
Install Mechanism
There is no formal install spec; the SKILL.md recommends installing @so-me/cli from the public npm registry (npmjs.com). Installing a global npm package is a common and expected mechanism for exposing the so-me CLI, but it does download and run third-party code (moderate risk). No direct download of arbitrary archives or obscure hosts is suggested.
Credentials
The skill requests a single env var, SOMESTUDIO_API_KEY, which is proportionate to its stated purpose. However: the documentation encourages providing the raw API key on the CLI or as an exported env var (both can leak via shell history or process lists); the API key likely grants broad workspace-level access (posting, deleting, listing accounts, creating webhooks, team management). A single API key therefore has high impact; the SKILL.md does not advise least-privilege keys or scopes.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation defaults. It does not request system-wide configuration changes or other skills' credentials. No elevated persistence privileges are apparent.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install so-me-studio - After installation, invoke the skill by name or use
/so-me-studio - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.2
Revert bins to [] — fixes OpenClaw npm-install loop.
v0.1.1
Fix: declare 'so-me' as a required bin in SKILL.md frontmatter (was empty array). Resolves the metadata-inconsistency security flag from the v0.1.0 scan.
v0.1.0
Initial release. 143 MCP tools across all so-me.studio resources.
Metadata
Frequently Asked Questions
What is Bundle?
so-me.studio is a multi-platform social-media scheduler. Schedule posts, manage drafts, reply to inbox messages and post comments, generate AI captions/image... It is an AI Agent Skill for Claude Code / OpenClaw, with 93 downloads so far.
How do I install Bundle?
Run "/install so-me-studio" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Bundle free?
Yes, Bundle is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Bundle support?
Bundle is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Bundle?
It is built and maintained by Yasin047 (@yasin047); the current version is v0.1.2.
More Skills