← Back to Skills Marketplace
humsafarprabhu-cmyk

Social Autopilot

by humsafarprabhu-cmyk · GitHub ↗ · v1.4.0 · MIT-0
cross-platform ⚠ suspicious
235
Downloads
0
Stars
0
Active Installs
5
Versions
Install in OpenClaw
/install social-autopilot
Description
Autonomously manage and post varied, platform-optimized social media content across X, Instagram, YouTube, and Meta using smart scheduling and data-driven th...
Usage Guidance
This skill appears to implement what it claims (autonomous posting, video generation, R2 hosting), but there are important things to check before installing or providing credentials: 1) Metadata mismatch: The registry metadata omits required environment variables while SKILL.md and the code require many sensitive tokens. Treat the SKILL.md and the code as the source of truth. 2) Run in a sandbox: Test the skill in an isolated environment (VM or container) and a Python virtualenv so you can safely install dependencies and inspect behavior without exposing your main accounts. 3) Use dedicated, limited-scope accounts/tokens: Create test or throwaway social accounts and R2 bucket and generate tokens with the minimum permissions needed (posting/upload only if possible). Avoid giving long-lived or primary-business account tokens until you trust the code. 4) Inspect and test dry-run first: Use the skill's dry-run option and review generated outputs (videos, captions) before letting it post. Verify mark_as_posted updates only the intended CSV and that no unexpected network calls occur. 5) Review OAuth and secrets handling: YouTube uses an OAuth client_secrets.json and browser flow — confirm where that file is stored and that it isn't uploaded anywhere. The code loads .env (load_dotenv) — ensure your .env doesn't contain unrelated secrets. 6) Check logging and cleanup: Logs may record filenames and public URLs; avoid printing full tokens. Be prepared to rotate any tokens used for testing. 7) Verify provenance: The README and clawhub.json reference a GitHub repo (abhinawtech/social-autopilot). If possible, pull the code directly from a verifiable upstream repository (review commit history, issues) rather than trusting an anonymous package snapshot. If you want, I can help by listing exact files and lines to inspect for network endpoints or by generating a checklist of minimum token scopes for each platform.
Capability Analysis
Type: OpenClaw Skill Name: social-autopilot Version: 1.4.0 The skill bundle is a comprehensive social media automation engine for X, Instagram, YouTube, and Meta, requiring extensive API credentials and environment variables. It performs several high-risk operations, including broad network access, file system manipulation for media generation, and the execution of a headless browser (Chromium) with the '--no-sandbox' flag via the html2image library in scripts/html_video_generator.py. Additionally, scripts/yt_auth.py uses pickle.load to manage YouTube OAuth tokens, which is a known security risk for arbitrary code execution if the local file is compromised. While these capabilities are plausibly necessary for the stated purpose of autonomous social media management, the combination of high-privilege requirements and risky execution patterns warrants a suspicious classification.
Capability Assessment
Purpose & Capability
The skill claims to be an instruction-only autoposter in the registry metadata, but the package actually includes 16+ Python scripts that implement posting, video generation, R2 upload, and OAuth handling. Registry metadata lists no required environment variables while SKILL.md and the code require many platform credentials (X/Twitter, Instagram Graph API, Meta page, YouTube OAuth client_secrets, Cloudflare R2). This mismatch between declared metadata and actual requirements is an incoherence and could mislead users installing the skill.
Instruction Scope
SKILL.md instructs the agent to operate autonomously (generate posts, upload videos, schedule posts) and to modify local files for branding (search/replace {BRAND_NAME}/{BRAND_URL}). The included scripts read and write local CSVs, generate media, upload to R2, call platform APIs, and mark CSV rows as posted. That behavior is consistent with the stated purpose, but the explicit requirement that users edit scripts and the presence of load_dotenv means the skill will read local .env files — exercise caution because that can expose other local secrets if .env is shared.
Install Mechanism
There is no install specification (no declared package installation flow) even though the repository contains substantial Python code that depends on many packages (tweepy, moviepy, google clients, boto3, etc.). This is not inherently malicious, but it is inconsistent: the skill will require installing the listed Python packages and possibly fonts and template assets before use. The lack of an explicit install routine increases the chance an installer will miss prerequisites.
Credentials
The set of credentials the SKILL.md lists (X API keys/tokens, Instagram Graph tokens and app secret, Meta Page token/ID, YouTube OAuth client_secrets, Cloudflare R2 keys) are sensitive and grant posting/upload capability. Those credentials are proportionate to an autoposter's functionality, but the registry metadata incorrectly shows no required env vars and thus understates the required secrets. Additionally, the code uses dotenv to load .env files, which can pull in unrelated secrets if present — verify what you're exposing and prefer dedicated, minimal-scope tokens/accounts.
Persistence & Privilege
The skill is not force-included (always:false) and uses the platform-default ability to be invoked autonomously. That autonomy plus the ability to post across multiple platforms increases blast radius if credentials are compromised. There is no evidence the skill tries to modify other skills or system-wide settings; its file writes appear limited to content CSV updates, logs, and temporary media files.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install social-autopilot
  3. After installation, invoke the skill by name or use /social-autopilot
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.4.0
Removed ALL hardcoded branding (Mission UPSC, Playstore). All watermarks now use {BRAND_NAME}/{BRAND_URL} placeholders. Added clear customization section in SKILL.md. Zero hardcoded promotional text remaining.
v1.3.0
Fixed all scanner issues: added missing r2_uploader.py and yt_auth.py modules, listed R2 env vars, added boto3/google-api deps, corrected third-party data claim. Code and manifest fully aligned.
v1.2.0
Fixed: SKILL.md now lists ALL env vars matching actual code. Added scripts table, security notes, package requirements. Manifest and code fully aligned.
v1.1.0
Added all platform scripts: Instagram, YouTube, Meta, video generation. Removed hardcoded branding — now uses configurable BRAND_URL/BRAND_NAME placeholders.
v1.0.0
- Initial release of Social Autopilot: a fully autonomous social media management agent. - Automates content generation, scheduling, and posting across X (Twitter), Instagram, YouTube Shorts, and Meta (Facebook/Threads). - Supports rotating content formats (insights, hot takes, quizzes, etc.), data-driven X threads, and dynamic short-form video creation. - Smart scheduling via GitHub Actions cron and adaptive hashtag strategies by platform. - Includes niche adaptability: just swap your content database to use in any vertical. - Platform-specific best practices and engagement-boosting features like answering in comments.
Metadata
Slug social-autopilot
Version 1.4.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 5
Frequently Asked Questions

What is Social Autopilot?

Autonomously manage and post varied, platform-optimized social media content across X, Instagram, YouTube, and Meta using smart scheduling and data-driven th... It is an AI Agent Skill for Claude Code / OpenClaw, with 235 downloads so far.

How do I install Social Autopilot?

Run "/install social-autopilot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Social Autopilot free?

Yes, Social Autopilot is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Social Autopilot support?

Social Autopilot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Social Autopilot?

It is built and maintained by humsafarprabhu-cmyk (@humsafarprabhu-cmyk); the current version is v1.4.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments