← Back to Skills Marketplace
Reddit Quote Carousel Topaz
by
psyduckler
· GitHub ↗
· v1.0.0
728
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install reddit-quote-topaz
Description
Create an Instagram carousel from a popular-picks list with Reddit quotes + Topaz 2x upscaling. Cover = "clean" style ("Top CATEGORY in Destination"), attrac...
Usage Guidance
Do not install or grant this skill full autonomy until the author clarifies and fixes the mismatches. Questions / actions to request before proceeding: 1) Declare exactly which credentials/configs are required (Topaz API key, Instagram Graph API token, instagram-account-id, and any Git credentials) and the expected mechanism (env vars vs Keychain). 2) Remove or explain the hardcoded local path (/Users/psy/...) and provide a portable overlay tool or a dependency list/install instructions. 3) Confirm target repository and whether the skill will push to a public repo; require explicit git credentials and least-privilege tokens. 4) Note the platform assumption (macOS Keychain use) and either add an alternative for other OSes or restrict OS support in metadata. 5) If you must use this skill, run it in a sandboxed agent and avoid giving it a long‑lived Instagram token with publish scope — use a short‑lived/test account and review activity logs. 6) Consider disabling autonomous invocation (require manual approval) until you trust the behavior. If the author cannot or will not address these issues, treat the skill as risky and do not provide it access to your Keychain or publish tokens.
Capability Analysis
Type: OpenClaw Skill
Name: reddit-quote-topaz
Version: 1.0.0
The skill bundle is classified as suspicious due to two primary risky capabilities, even though there is no clear evidence of intentional malicious behavior. First, the `popular_picks_url` parameter is user-controlled and directly fed to `web_fetch` without explicit sanitization or validation instructions, creating a potential Server-Side Request Forgery (SSRF) or Local File Inclusion (LFI) vulnerability if the `web_fetch` function is not robustly secured. Second, the skill includes instructions for `git push` operations to host images, which implies the agent has broad write permissions to a repository. While these actions are plausibly needed for the stated purpose of creating Instagram carousels, they represent significant attack surfaces if the agent's environment or input handling is not perfectly secure.
Capability Assessment
Purpose & Capability
The skill's name/description (Reddit quotes + Topaz upscale → Instagram carousel) is coherent with instructions to fetch a popular‑picks page, find photos, run Topaz, overlay text, and publish. However, the SKILL.md presumes access to macOS Keychain entries, an Instagram Graph API token, and push access to a 'tabiji' repo — none of which are declared in the registry metadata. Also it references a hardcoded, user‑specific script path (/Users/psy/.openclaw/...) which is not portable or declared.
Instruction Scope
Instructions do more than simple image composition: they read secrets from macOS Keychain via the security CLI, download and upload images to Topaz Labs, use a local python overlay script at a specific user path, and git‑push files to a repo. They therefore access local secrets, local filesystem paths, and external services beyond just reading the provided popular_picks_url. The skill also assumes tools like curl, jq, git and python are present and that the runtime can access Keychain and a particular project workspace.
Install Mechanism
This is an instruction‑only skill with no install spec or code files, so nothing will be written to disk by an installer. That lowers install risk. The runtime still instructs downloading/uploading images and calling external APIs (Topaz and GitHub raw URLs) which are normal for this purpose.
Credentials
The registry lists no required environment variables or config paths, but the SKILL.md explicitly expects macOS Keychain items (topaz-api-key, instagram-access-token, instagram-account-id) and uses them to call Topaz and the Instagram Graph API and to publish posts. It also expects push access to the tabiji repo. Sensitive credentials are used but not declared — a clear mismatch and disproportionate for an install that advertised no required secrets.
Persistence & Privilege
The skill does not request 'always: true', but its instructions include publishing directly to Instagram (using an access token) and pushing hosted images to a repository. If the agent can invoke this skill autonomously (default), it could publish content on behalf of the user. Combined with the undeclared credentials and Keychain access, this increases the blast radius and warrants caution.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install reddit-quote-topaz - After installation, invoke the skill by name or use
/reddit-quote-topaz - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Reddit Quote Carousel Topaz?
Create an Instagram carousel from a popular-picks list with Reddit quotes + Topaz 2x upscaling. Cover = "clean" style ("Top CATEGORY in Destination"), attrac... It is an AI Agent Skill for Claude Code / OpenClaw, with 728 downloads so far.
How do I install Reddit Quote Carousel Topaz?
Run "/install reddit-quote-topaz" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Reddit Quote Carousel Topaz free?
Yes, Reddit Quote Carousel Topaz is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Reddit Quote Carousel Topaz support?
Reddit Quote Carousel Topaz is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Reddit Quote Carousel Topaz?
It is built and maintained by psyduckler (@psyduckler); the current version is v1.0.0.
More Skills