skroller

Automate scraping and filtering of public social media posts with keyword search, engagement filters, deduplication, and export to JSON, CSV, or notes apps.

What to consider before installing/using this skill: - Missing declared secrets: The registry lists no required env vars, but the code expects values such as NOTION_API_KEY / NOTION_TOKEN and MS_TOKEN for exports; confirm which credentials you'll need and avoid supplying high-privilege tokens. Prefer creating a dedicated, limited-scope API key for Notion/OneDrive if you use those features. - Filesystem writes: The tool writes files (e.g., .skroller-seen.json, cookies.json) and creates notes in your specified vault/folders. Run in an isolated directory or VM to avoid accidental contamination of your primary workspace. - Anti‑bot / evasion guidance: The docs explicitly recommend proxy rotation, residential proxy services, user-agent rotation, and mouse simulation. Those are techniques that can be used to evade platform detection and may violate target platforms' Terms of Service — do not use them to bypass access controls or for abusive purposes. - Shell execution: export-to-notes uses child_process.execSync (invoking 'grizzly' CLI and constructing shell commands). If you pass untrusted input into filenames, note titles, or tags, it could result in command injection. Audit how filenames/titles are constructed before running with untrusted data. - Legal/ToS risk: The author repeatedly notes ToS and privacy obligations, but that is not a guarantee. Scraping certain platforms (LinkedIn, Twitter/X, Instagram) may violate their Terms; consult legal counsel if this is for commercial use or large‑scale collection. - Recommended actions before running: - Inspect the scripts (you already have them) and search for any references to environment variables or remote endpoints you do not expect. - Run npm install and test in a sandboxed environment (container/VM) first. - Use low-volume, conservative settings, and prefer official APIs where available. - If exporting to third‑party services, create limited-scope API tokens and avoid using personal or organization-wide tokens. - Consider removing or hardening anti-evasion/proxy code if you intend to remain strictly within platform policies. If you want, I can list every environment variable and external dependency the code references and point to the exact lines where they appear.

Type: OpenClaw Skill Name: skroller Version: 0.0.1 The skill bundle provides a comprehensive framework for social media scraping and data export to various note-taking applications. However, it contains significant security vulnerabilities in `scripts/export-to-notes.js`, where unsanitized data from scraped posts is passed into `execSync` calls for `osascript` (Apple Notes) and `grizzly` (Bear notes), creating a high risk of shell injection. While these appear to be unintentional coding flaws rather than intentional malware, they allow for potential remote code execution if the agent scrapes specially crafted malicious content from social media platforms.