Openclaw Social Scheduler

Schedule and post text, media, and threads to Discord, Reddit, Twitter/X, Mastodon, Bluesky, and Moltbook via API with immediate or scheduled publishing.

This skill appears to implement the described multi-platform scheduler, but review the following before installing: - Credentials: The skill expects platform API tokens/keys (Twitter, Reddit, Mastodon, Bluesky, Moltbook, Discord webhooks). The registry metadata declares no required env vars/config paths, yet the docs and examples expect config JSON files or .credentials/*.json. Confirm there are no hardcoded or bundled credentials in the package (search for strings like 'moltbook_sk_' or other API keys) and do not point the skill at any system credential stores you aren’t willing to expose. - Installation: 'npm install' will download standard npm packages. If you will run this code, do so in an isolated environment (container or VM) and review package.json/package-lock for unexpected dependencies or postinstall scripts. - Operation: The scheduler runs CLI/node scripts that will read local files (config JSONs, .credentials) and perform network calls to social platforms. Ensure you provide only the minimum credentials needed, and prefer per‑platform limited-scope tokens where available. - Autonomy & scope: If you don't fully trust the skill, avoid enabling autonomous invocation or running the scheduler daemon with keys accessible to other processes. Test posting with throwaway/test accounts first. What would change the assessment: included/bundled API keys, references to unknown external endpoints or URL shorteners, or code that reads unrelated system config files would escalate to 'malicious'. Conversely, if maintainers update the registry metadata to declare required config paths/env vars and provide a minimal, audited dependency list with no bundled credentials, the assessment could be upgraded to 'benign'.

Type: OpenClaw Skill Name: openclaw-social-scheduler Version: 0.1.0 The skill is classified as suspicious due to the use of an outdated `node-fetch` dependency (v2.7.0) which has known SSRF and request smuggling vulnerabilities (CVE-2022-0235, CVE-2022-0236, CVE-2022-0237). This is particularly concerning as the `scripts/media.js` module, used by `scripts/upload-media.js`, allows loading media from user-provided URLs and local file paths. This combination creates a potential risk for Server-Side Request Forgery (SSRF) and local file disclosure (path traversal) if an attacker can control the input to the media upload functionality. While there is no clear evidence of intentional malicious behavior (e.g., data exfiltration to unauthorized endpoints or persistence mechanisms), these risky capabilities warrant a 'suspicious' classification.