← Back to Skills Marketplace
batsirai

Social Media Engine

by Batsirai Chada · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
475
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install social-media-engine
Description
Automated social media manager — plan, write, schedule, and analyze content across X/Twitter, LinkedIn, Instagram, TikTok, Facebook, and Pinterest. Integrate...
Usage Guidance
What to consider before installing: - Metadata mismatch: the registry lists no required env vars but the skill requires BUFFER_API_KEY or POSTIZ_API_KEY + POSTIZ_BASE_URL. Treat those keys as necessary before using the scheduler. Ask the publisher to update registry metadata if you rely on automated vetting. - .env exposure: the included script will try to load a .env from the skill project, the current working directory, and HOME/.openclaw/.env if present. Make sure those .env files do not contain unrelated secrets (AWS keys, DB passwords, agent tokens). Prefer creating a minimal .env that contains only the Buffer/Postiz key you intend to provide. - Limit API key scope: when possible use API keys with the minimum privileges needed and rotate keys if you test with higher access. Prefer creating a dedicated Buffer/ Postiz API key for this skill rather than reusing an account-wide secret. - Isolation: run the skill in an isolated environment (container or dedicated account) if you are concerned about accidental access to other credentials or resources. - Verify the source: the SKILL.md points to a GitHub repo. Inspect that repo yourself (or ask the publisher for the exact commit hash). Confirm there are no hidden endpoints or telemetry beyond Buffer/Postiz calls. - Affiliate link: README contains an affiliate link (dub.sh/buffer-aff). This is monetization, not a direct technical concern, but be aware the author may have incentive to recommend Buffer. - If you need stronger guarantees: use a self-hosted Postiz instance you control, or run the scheduling script manually after reviewing its behavior. If you can't verify the registry metadata or repo, treat this skill as higher risk. If you want, I can: (1) extract and show the exact places the script reads .env and where it writes logs; (2) suggest a minimal .env template you can use; or (3) draft questions to ask the publisher to resolve the metadata mismatch.
Capability Analysis
Type: OpenClaw Skill Name: social-media-engine Version: 1.0.0 The skill is classified as suspicious due to a vulnerability in `scripts/post-scheduler.js`. The script attempts to load API keys from `.env` files located in the skill's root, the current working directory (`process.cwd()`), and `~/.openclaw/`. While this is a common configuration pattern, it creates a risk of unintended information disclosure or misuse if other sensitive `.env` files exist in these locations and contain variables named `BUFFER_API_KEY` or `POSTIZ_API_KEY` (or their aliases). The script would then load and potentially use these unintended credentials for its API calls to Buffer or Postiz. There is no evidence of intentional malicious behavior such as arbitrary data exfiltration, persistence mechanisms, or prompt injection attempts to subvert the agent's core function.
Capability Assessment
Purpose & Capability
The skill's name, description, SKILL.md, README, and included script all align: it plans, drafts, and schedules posts via Buffer or a self-hosted Postiz. However the registry metadata lists no required environment variables or primary credential while the SKILL.md and scripts clearly require BUFFER_API_KEY or POSTIZ_API_KEY + POSTIZ_BASE_URL. That metadata mismatch is an incoherence that affects permission review and automated gating.
Instruction Scope
SKILL.md explicitly instructs the agent to run node scripts that call Buffer/Postiz APIs and to read credentials from environment variables or a local .env. The runtime steps (plan, draft, present, then run node scripts to schedule) stay within the declared social-media purpose. The only scope concern: instructions and the script tell the agent to read .env files and write scheduled-post logs — this is expected for a scheduler, but it gives the skill access to any secrets found in those .env files.
Install Mechanism
No install spec is present (instruction-only plus a single JS script). That lowers installation risk because nothing is downloaded at install time and no external archives are extracted. The included code is plain JS and calls public APIs; there are no obfuscated downloads or third‑party installers.
Credentials
Requiring a Buffer API key or Postiz API key is proportionate to a scheduler. But the skill reads .env files from multiple places (project root, current working directory, and HOME/.openclaw) and will populate process.env from any matching lines it finds. Because the registry did not declare the required env vars, users may not realize which secrets will be accessed. Reading HOME/.openclaw/.env or parent .env files can surface unrelated secrets (other API keys) to the skill, which is a privacy/credential exposure risk.
Persistence & Privilege
always: false and no special persistence is requested. The skill does not claim to auto-enable itself or modify other skills. Normal autonomous invocation is allowed (platform default) and is not by itself flagged here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install social-media-engine
  3. After installation, invoke the skill by name or use /social-media-engine
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Buffer-powered social media automation with AI content generation
Metadata
Slug social-media-engine
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Social Media Engine?

Automated social media manager — plan, write, schedule, and analyze content across X/Twitter, LinkedIn, Instagram, TikTok, Facebook, and Pinterest. Integrate... It is an AI Agent Skill for Claude Code / OpenClaw, with 475 downloads so far.

How do I install Social Media Engine?

Run "/install social-media-engine" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Social Media Engine free?

Yes, Social Media Engine is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Social Media Engine support?

Social Media Engine is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Social Media Engine?

It is built and maintained by Batsirai Chada (@batsirai); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments