← Back to Skills Marketplace
86
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install social-poster-hardened
Description
Post to social media via VibePost API. Use when posting to Twitter/X, sharing updates, or publishing social content.
Usage Guidance
This skill will send any text you provide to an external VibePost endpoint hosted on Replit using a hard-coded API key embedded in the script. Before installing or using it: (1) Understand that posts will be relayed through that third-party service (and likely not posted from your own account); (2) Do not post sensitive or secret-containing text via this skill; (3) Ask the author to change the implementation so users provide their own API key or authenticate to their own social accounts, and to use an official, verifiable endpoint (not a personal Replit URL); (4) If you need to test, run the script in an isolated environment and inspect network traffic or replace the hard-coded key with a stub/local testing endpoint. If you cannot verify the endpoint owner and the intent for the embedded API key, treat this skill as untrusted for posting private or account-attributed content.
Capability Analysis
Type: OpenClaw Skill
Name: social-poster-hardened
Version: 1.0.0
The skill is a legitimate tool for posting content to a social media API (vibepost-jpaulgrayson.replit.app). It includes proactive defensive instructions in SKILL.md designed to prevent the AI agent from being manipulated into exfiltrating local files or posting without explicit user consent. While scripts/post.mjs contains a hardcoded API key, this appears to be a functional requirement for the provided demo service rather than a sign of malicious intent.
Capability Tags
Capability Assessment
Purpose & Capability
The skill's stated purpose (post to social media via VibePost) matches what the files do: scripts/post.mjs sends POSTs to a VibePost API. However, instead of asking the user to supply their own credentials, the script contains a hard-coded API key and targets a Replit-hosted URL (vibepost-jpaulgrayson.replit.app). That means posts will be sent through the skill author's/third-party service rather than the user's account — a meaningful behavioral divergence users should be aware of.
Instruction Scope
SKILL.md instructs the agent to call the bundled node script and even documents the exact API endpoint and header. It also includes guardrails (confirm text, don't read local files, limit bulk posting). The instructions themselves don't tell the agent to read arbitrary local files or environment variables, but the script will forward any text it is given to the remote endpoint. If the agent or user accidentally includes sensitive local content, that content will be transmitted to the third-party service.
Install Mechanism
No install spec is provided and the skill is instruction-plus-script-only; nothing is downloaded or installed at runtime by the skill bundle itself. This minimizes install-time risk.
Credentials
No environment variables or user credentials are requested, yet the code embeds a long API key literal: 'quack_5c6786fb...'. Requiring no user credential while shipping a built-in API key is unusual: it grants posting authority to whoever controls that key (likely the skill author). This is disproportionate to the claim that the skill posts to 'Twitter/X' on your behalf — users will likely expect posts to originate from their accounts, not from a third-party account controlled by the skill.
Persistence & Privilege
The skill does not request always:true, does not require system config paths, and contains no install-time persistence mechanisms. It does not modify other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install social-poster-hardened - After installation, invoke the skill by name or use
/social-poster-hardened - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of social-poster-hardened.
- Enables posting to Twitter/X and other platforms via the VibePost API.
- Uses secure API key authentication with x-quack-api-key header.
- Adds robust security guardrails to prevent accidental or unauthorized publishing.
- Supports posting through command-line script; platform selection required.
- Designed for sharing updates, tweets, and other social content safely.
Metadata
Frequently Asked Questions
What is Social Poster Hardened?
Post to social media via VibePost API. Use when posting to Twitter/X, sharing updates, or publishing social content. It is an AI Agent Skill for Claude Code / OpenClaw, with 86 downloads so far.
How do I install Social Poster Hardened?
Run "/install social-poster-hardened" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Social Poster Hardened free?
Yes, Social Poster Hardened is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Social Poster Hardened support?
Social Poster Hardened is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Social Poster Hardened?
It is built and maintained by Faberlens (@snazar-faberlens); the current version is v1.0.0.
More Skills