← Back to Skills Marketplace

AutoPost GitHub Bounty

Name: AutoPost GitHub Bounty
Author: vut08905

by vut08905 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install autopost-github-bounty

Description

Automatically generate and post optimized social media content promoting GitHub bounty campaigns using repo data and custom messages.

README (SKILL.md)

AutoPost GitHub Bounty Campaign

Mô tả

Kỹ năng này tự động tạo nội dung chia sẻ cho các chiến dịch Bounty trên GitHub. Giúp đăng bài hiệu quả để tăng lượt tham gia và hoàn thành yêu cầu của bounty.

Tính năng

Lấy tiêu đề và mô tả từ repository GitHub.
Tạo bài viết với nội dung tối ưu hóa kêu gọi hành động (CTA).
Gửi bài qua mạng xã hội (Twitter, Facebook, etc.).

Cấu hình yêu cầu

API Token GitHub (để lấy thông tin repo).
API Token các nền tảng xã hội (Twitter, etc.).

Hướng dẫn cài đặt

Clone repo:

git clone https://github.com/\x3Cuser>/clawhub-skill-autopost.git

Cài đặt dependencies:

npm install

Chạy skill:

node autopost.js --repo \x3Crepo_url> --platform "twitter" --message "\x3Ccustom_message>"

Usage Guidance

This skill is inconsistent: it advertises automatic multi-platform posting but the code only reads a GitHub repo and prints a composed message. Before running or providing any credentials: (1) don't supply API tokens until you audit the code — the registry didn't declare required env vars but the script reads GITHUB_TOKEN via dotenv; (2) verify and fix the invocation (the script doesn't parse --repo/--platform flags as shown); (3) if you need actual posting, inspect or implement the platform-specific APIs yourself rather than trusting this package; (4) run npm install and execute only in a sandboxed environment or CI runner you control; (5) review package-lock for suspicious third-party packages and consider pinning or replacing dependencies. Because of these mismatches and missing documentation, treat the package as untrusted until you confirm its behavior and provenance.

Capability Analysis

Type: OpenClaw Skill Name: autopost-github-bounty Version: 1.0.0 The skill bundle exhibits strong indicators of a potential supply chain attack. The package-lock.json file specifies versions for several popular libraries (axios 1.15.0, dotenv 16.6.1, and follow-redirects 1.15.11) that are significantly higher than the current official releases, a technique often used in dependency confusion attacks. Additionally, the _meta.json file contains a future-dated timestamp (2026). While the autopost.js script itself is functionally benign and lacks explicit malicious logic, the anomalous environment configuration suggests an intent to trigger the installation of potentially compromised third-party packages during the 'npm install' step.

Capability Assessment

⚠ Purpose & Capability

The skill claims to 'send posts' to Twitter/Facebook/etc., but autopost.js only fetches repository details from the GitHub API and logs a message; there is no implemented platform integration. SKILL.md asks for social API tokens, but the package metadata lists no required env vars — capabilities and declared requirements do not match.

⚠ Instruction Scope

SKILL.md tells the user to run with flags like --repo and --platform, but autopost.js reads raw process.argv positions (no flag parsing), so the example invocation is incorrect. The instructions say GitHub and social API tokens are required but do not explain how to provide them (.env usage is not mentioned), while the code uses dotenv and reads process.env.GITHUB_TOKEN. The runtime instructions are vague and inconsistent with the actual code behavior.

✓ Install Mechanism

There is no custom install script; dependencies are standard npm packages (axios, dotenv) with package-lock referencing npm registry URLs. No external or unusual download URLs or archive extraction were present in the manifest.

⚠ Credentials

Registry metadata lists no required env vars, but autopost.js expects GITHUB_TOKEN (via process.env) and uses dotenv. SKILL.md additionally requests social platform tokens that the code does not use. Environment variable requirements are under-declared and misaligned with both the README and the code.

✓ Persistence & Privilege

The skill does not request always:true, does not modify system or other skills, and does not declare persistent system-level privileges. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install autopost-github-bounty
After installation, invoke the skill by name or use /autopost-github-bounty
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release with automatic post feature.

Metadata

Slug autopost-github-bounty

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is AutoPost GitHub Bounty?

Automatically generate and post optimized social media content promoting GitHub bounty campaigns using repo data and custom messages. It is an AI Agent Skill for Claude Code / OpenClaw, with 81 downloads so far.

How do I install AutoPost GitHub Bounty?

Run "/install autopost-github-bounty" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is AutoPost GitHub Bounty free?

Yes, AutoPost GitHub Bounty is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does AutoPost GitHub Bounty support?

AutoPost GitHub Bounty is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created AutoPost GitHub Bounty?

It is built and maintained by vut08905 (@vut08905); the current version is v1.0.0.

More Skills