← 返回 Skills 市场

AutoPost GitHub Bounty

Name: AutoPost GitHub Bounty
Author: vut08905

作者 vut08905 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install autopost-github-bounty

功能描述

Automatically generate and post optimized social media content promoting GitHub bounty campaigns using repo data and custom messages.

使用说明 (SKILL.md)

AutoPost GitHub Bounty Campaign

Mô tả

Kỹ năng này tự động tạo nội dung chia sẻ cho các chiến dịch Bounty trên GitHub. Giúp đăng bài hiệu quả để tăng lượt tham gia và hoàn thành yêu cầu của bounty.

Tính năng

Lấy tiêu đề và mô tả từ repository GitHub.
Tạo bài viết với nội dung tối ưu hóa kêu gọi hành động (CTA).
Gửi bài qua mạng xã hội (Twitter, Facebook, etc.).

Cấu hình yêu cầu

API Token GitHub (để lấy thông tin repo).
API Token các nền tảng xã hội (Twitter, etc.).

Hướng dẫn cài đặt

Clone repo:

git clone https://github.com/\x3Cuser>/clawhub-skill-autopost.git

Cài đặt dependencies:

npm install

Chạy skill:

node autopost.js --repo \x3Crepo_url> --platform "twitter" --message "\x3Ccustom_message>"

安全使用建议

This skill is inconsistent: it advertises automatic multi-platform posting but the code only reads a GitHub repo and prints a composed message. Before running or providing any credentials: (1) don't supply API tokens until you audit the code — the registry didn't declare required env vars but the script reads GITHUB_TOKEN via dotenv; (2) verify and fix the invocation (the script doesn't parse --repo/--platform flags as shown); (3) if you need actual posting, inspect or implement the platform-specific APIs yourself rather than trusting this package; (4) run npm install and execute only in a sandboxed environment or CI runner you control; (5) review package-lock for suspicious third-party packages and consider pinning or replacing dependencies. Because of these mismatches and missing documentation, treat the package as untrusted until you confirm its behavior and provenance.

功能分析

Type: OpenClaw Skill Name: autopost-github-bounty Version: 1.0.0 The skill bundle exhibits strong indicators of a potential supply chain attack. The package-lock.json file specifies versions for several popular libraries (axios 1.15.0, dotenv 16.6.1, and follow-redirects 1.15.11) that are significantly higher than the current official releases, a technique often used in dependency confusion attacks. Additionally, the _meta.json file contains a future-dated timestamp (2026). While the autopost.js script itself is functionally benign and lacks explicit malicious logic, the anomalous environment configuration suggests an intent to trigger the installation of potentially compromised third-party packages during the 'npm install' step.

能力评估

⚠ Purpose & Capability

The skill claims to 'send posts' to Twitter/Facebook/etc., but autopost.js only fetches repository details from the GitHub API and logs a message; there is no implemented platform integration. SKILL.md asks for social API tokens, but the package metadata lists no required env vars — capabilities and declared requirements do not match.

⚠ Instruction Scope

SKILL.md tells the user to run with flags like --repo and --platform, but autopost.js reads raw process.argv positions (no flag parsing), so the example invocation is incorrect. The instructions say GitHub and social API tokens are required but do not explain how to provide them (.env usage is not mentioned), while the code uses dotenv and reads process.env.GITHUB_TOKEN. The runtime instructions are vague and inconsistent with the actual code behavior.

✓ Install Mechanism

There is no custom install script; dependencies are standard npm packages (axios, dotenv) with package-lock referencing npm registry URLs. No external or unusual download URLs or archive extraction were present in the manifest.

⚠ Credentials

Registry metadata lists no required env vars, but autopost.js expects GITHUB_TOKEN (via process.env) and uses dotenv. SKILL.md additionally requests social platform tokens that the code does not use. Environment variable requirements are under-declared and misaligned with both the README and the code.

✓ Persistence & Privilege

The skill does not request always:true, does not modify system or other skills, and does not declare persistent system-level privileges. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install autopost-github-bounty
安装完成后，直接呼叫该 Skill 的名称或使用 /autopost-github-bounty 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release with automatic post feature.

元数据

Slug autopost-github-bounty

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题