← Back to Skills Marketplace
Platform API Connector
by
brandonwadepackard-cell
· GitHub ↗
· v1.0.0
554
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install platform-api-connector
Description
Connect to social media and content platform APIs by navigating developer portals, creating apps, obtaining OAuth tokens, and storing credentials. Covers Fac...
Usage Guidance
This skill appears to be an instruction guide for obtaining OAuth tokens and storing them — that behavior by itself is consistent with the description. Before installing or using it, verify these points: (1) Where will you store credentials? Provide a secure, access-controlled/ encrypted secrets store (not plaintext JSONB unless you add envelope encryption). (2) The SKILL.md mentions storing secrets in Supabase but declares no DB connection or credentials — ensure you never supply DB credentials or tokens to untrusted code and consider least-privilege DB roles. (3) Validate claims about token lifetimes (e.g., 'never expire' statements) against current platform docs and plan token rotation. (4) If you implement the provided snippets, run them locally and inspect any helper functions (get_connection/update_connection) to make sure they do not exfiltrate tokens. (5) If you intend the agent to store or retrieve credentials automatically, require explicit, audited connector configuration (connection URL, API key) and consider requiring user confirmation before any persistent writes. If you want me to, I can point out exact places in the SKILL.md to modify so it enforces encryption, least privilege, and explicit DB connection configuration.
Capability Analysis
Type: OpenClaw Skill
Name: platform-api-connector
Version: 1.0.0
The skill is classified as suspicious due to its core functionality involving the acquisition and storage of highly sensitive API credentials (client secrets, access tokens, refresh tokens, API keys) for various social media platforms. The `SKILL.md` explicitly instructs the AI agent to store these critical credentials in a database, even providing a `CREATE TABLE` SQL schema for this purpose. While the stated intent is to manage API connections, the instruction to store such sensitive data without explicit mention of robust security measures (e.g., encryption at rest, secure key management) represents a significant security vulnerability. A compromise of the database or the agent could lead to a major data breach. Additionally, `references/oauth-flows.md` details running a local HTTP server for OAuth callbacks, further highlighting network activity and sensitive data handling.
Capability Assessment
Purpose & Capability
The name and description match the instructions: the SKILL.md explains how to create apps, run OAuth flows, and store credentials for the listed platforms. However, the skill repeatedly instructs storing secrets in a DB (Supabase suggested) yet declares no required environment variables or connection configuration for a DB or secret store. That mismatch (declaring no required creds while instructing persistent storage of sensitive tokens) is noteworthy.
Instruction Scope
The instructions explicitly tell the operator to run local OAuth servers, read a 'credentials.json' file for Google, and persist client secrets/access tokens into a JSONB DB table. The SKILL.md does not advise encryption-at-rest, access controls, or secrets rotation, and it references helper functions (get_connection/update_connection) that are not provided. Recommending storing raw secrets without guidance is a security risk and broadens the runtime scope beyond simply 'helping get tokens.'
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute. That minimizes install-time risk (nothing will be downloaded or written by an installer). The regex scanner had nothing to analyze.
Credentials
The skill requests no environment variables or primary credential in metadata, yet it presumes persistent storage (Supabase/DB) and local files (credentials.json). For practical use the operator will need DB connection info, API keys, or service credentials—none are declared. Also, the SKILL.md recommends storing highly sensitive secrets but provides no guidance to limit access, encrypt, or scope them, which is disproportionate for a helper doc.
Persistence & Privilege
The skill does not request always:true, does not include installers, and is user-invocable only. It does not try to modify other skills or system-wide settings. Autonomous invocation is enabled by default on the platform but is not combined here with other red flags.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install platform-api-connector - After installation, invoke the skill by name or use
/platform-api-connector - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: OAuth flows and credential management for Facebook, Instagram, YouTube, Twitter, TikTok
Metadata
Frequently Asked Questions
What is Platform API Connector?
Connect to social media and content platform APIs by navigating developer portals, creating apps, obtaining OAuth tokens, and storing credentials. Covers Fac... It is an AI Agent Skill for Claude Code / OpenClaw, with 554 downloads so far.
How do I install Platform API Connector?
Run "/install platform-api-connector" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Platform API Connector free?
Yes, Platform API Connector is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Platform API Connector support?
Platform API Connector is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Platform API Connector?
It is built and maintained by brandonwadepackard-cell (@brandonwadepackard-cell); the current version is v1.0.0.
More Skills