← Back to Skills Marketplace
202
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install social-bot
Description
Reddit & X/Twitter auto-reply bot for ecommerce/SaaS growth. Finds relevant posts about AI customer service, Amazon FBA, Shopify — posts genuine AI-generated...
Usage Guidance
Key things to consider before installing: (1) Do NOT run the one-line `curl | bash` blindly — review install.sh and setup.sh contents first. (2) This tool requires your ANTHROPIC_API_KEY and will send scraped post content/snippets to Anthropic for reply generation; ensure you are comfortable with that data leaving your machine. (3) The bot controls a real browser session via the browse CLI; run it in a dedicated browser profile or VM so other logged-in accounts/cookies aren't accessible. (4) The installer may register a scheduled job and run a local web dashboard—check and approve those actions manually. (5) Automated posting/warmup can violate Reddit/X policies and risk account suspension; consider the policy and legal/ethical implications. (6) If you want to proceed, audit the GitHub repo and install scripts, run in an isolated environment (VM/container), and limit the Anthropic key's billing/permissions if possible.
Capability Analysis
Type: OpenClaw Skill
Name: social-bot
Version: 1.0.0
This skill bundle implements an automated social media bot for Reddit and X/Twitter using browser automation and AI-generated replies. It is classified as suspicious due to significant security vulnerabilities and high-risk behaviors, including a potential shell injection vulnerability in `bot/browser.py` where strings are passed to `subprocess.run(shell=True)` with insufficient sanitization. The `install.sh` script establishes persistence via a macOS LaunchAgent and stores the user's `ANTHROPIC_API_KEY` in a plaintext `.plist` file. While the bot's core functionality (automated posting and bypassing karma limits in `warmup_reddit.py`) is aggressive, there is no clear evidence of intentional malice such as data exfiltration or unauthorized remote access.
Capability Assessment
Purpose & Capability
The code and SKILL.md align with the declared purpose: automated replies on Reddit and X via browser automation and Claude (Anthropic). However the package/registry metadata claims no required env vars or install steps while SKILL.md and code require ANTHROPIC_API_KEY, the browse CLI, and provide install scripts—this metadata mismatch is an incoherence the user should notice.
Instruction Scope
Runtime instructions and code perform broad actions: control a local Chrome session via the browse CLI (including logging in via Google OAuth), scrape pages, post comments/replies, and send post content/snippets to Anthropic. These actions are consistent with purpose but have broader scope than a simple 'reply helper' (e.g., account warmup, LaunchAgent scheduling, dashboard web server). The SKILL.md also instructs running a remote install script (curl | bash), which grants arbitrary install-time discretion.
Install Mechanism
No formal install spec in registry, but SKILL.md tells users to run `curl .../install.sh | bash` from raw.githubusercontent.com. The repository includes install.sh/setup.sh and a macOS LaunchAgent registration step. Executing a remote install script (pipe-to-shell) is high-risk—inspect the script before running and prefer manual install steps or running in an isolated environment.
Credentials
The code only requires an ANTHROPIC_API_KEY (as used by bot/ai_engine.py) which is proportional to its use of Claude. However registry metadata did not declare this env var; the SKILL.md does. Also the browse CLI will use a real browser session (cookies, logged-in accounts) which gives the skill access to any accounts signed in to that browser profile—this is sensitive and should be isolated.
Persistence & Privilege
Although always:false, the install instructions advertise registering a macOS LaunchAgent to run daily and start a local dashboard (Flask). That creates persistent scheduled execution and an always-on web endpoint on localhost. This is expected for a bot but is a privilege escalation relative to a purely ephemeral skill install—inspect install.sh and be comfortable with background scheduled tasks before proceeding.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install social-bot - After installation, invoke the skill by name or use
/social-bot - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the social-reply-bot for automated Reddit and X/Twitter engagement.
- Finds and replies to relevant posts about ecommerce, Amazon FBA, and AI customer service using AI-generated, on-topic replies.
- Includes automated Reddit account warmup to build karma for account legitimacy.
- Tracks and scores potential customer leads with urgency and pain point analysis.
- Provides CLI commands for running replies, warmup routines, lead review, and stats.
- No Reddit or X API keys needed; operates via browser automation with SQLite deduplication.
Metadata
Frequently Asked Questions
What is Social Bot?
Reddit & X/Twitter auto-reply bot for ecommerce/SaaS growth. Finds relevant posts about AI customer service, Amazon FBA, Shopify — posts genuine AI-generated... It is an AI Agent Skill for Claude Code / OpenClaw, with 202 downloads so far.
How do I install Social Bot?
Run "/install social-bot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Social Bot free?
Yes, Social Bot is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Social Bot support?
Social Bot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Social Bot?
It is built and maintained by mguozhen (@mguozhen); the current version is v1.0.0.
More Skills