← 返回 Skills 市场
93
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install so-me-studio
功能描述
so-me.studio is a multi-platform social-media scheduler. Schedule posts, manage drafts, reply to inbox messages and post comments, generate AI captions/image...
安全使用建议
This skill appears to be a CLI helper for the legitimate so-me.studio service and only requests the service API key, but proceed cautiously:
- Confirm identity: verify the npm package @so-me/cli and the publisher before installing (check the package page, author, and GitHub repo referenced by the package). The registry metadata/title mismatch ('Bundle' vs 'so-me-studio') is odd—ask the publisher or check the package source if unsure.
- Prefer browser OAuth over pasting keys: do not paste long API keys on the command line (they appear in shell history and may be visible to other processes). Use browser OAuth or set env vars in a secure session and avoid embedding keys in one-off CLI arguments.
- Limit key scope & rotate: if possible create and use a restricted API key with only the needed scopes and rotate it if you later revoke access.
- Audit webhook usage: the CLI can create webhook subscriptions with arbitrary URLs. If you allow the agent to create webhooks, make sure you control the target URL or understand where data will be sent.
- Least privilege for automation: when giving an agent the API key, consider using a test workspace or an account with limited permissions first.
If you want me to recommend specific checks (npm package verification steps, example least-privilege key scopes, or safer CLI usage patterns), I can provide them.
功能分析
Type: OpenClaw Skill
Name: so-me-studio
Version: 0.1.2
The so-me-studio skill bundle is a comprehensive and well-documented integration for a social media management platform. It provides 143 tools for managing posts, analytics, and inbox communications across multiple platforms. The SKILL.md file includes proactive security instructions, explicitly telling the AI agent never to echo the SOMESTUDIO_API_KEY, which mitigates potential prompt-injection attacks aimed at credential theft. The bundle follows standard patterns for CLI-based agent skills, uses the official so-me.studio domain, and lacks any indicators of malicious intent, obfuscation, or unauthorized data exfiltration.
能力标签
能力评估
Purpose & Capability
The SKILL.md describes the so-me.studio CLI and its social-media scheduling features and the declared required env var (SOMESTUDIO_API_KEY) aligns with that purpose. Inconsistencies: the top-level skill name in the registry is 'Bundle' while the SKILL.md and slug identify 'so-me-studio'; the registry metadata lists no required binaries even though the instructions assume an installable CLI (npm/pnpm global install). These look like packaging or metadata mistakes rather than outright misdirection, but they should be clarified.
Instruction Scope
Runtime instructions are narrowly scoped to invoking the so-me CLI commands (accounts:list, posts:create, ai:generate-*, inbox:reply, etc.). The instructions do not request unrelated file system access. Important operational details: the SKILL.md advises passing API keys directly on the CLI (`so-me auth:login --api-key ...`) or exporting them in env vars, and it documents creating webhook subscriptions (URL is a free-form field). Those actions can leak secrets (shell history/process lists) or be used to send account data to arbitrary endpoints if misused.
Install Mechanism
There is no formal install spec; the SKILL.md recommends installing @so-me/cli from the public npm registry (npmjs.com). Installing a global npm package is a common and expected mechanism for exposing the so-me CLI, but it does download and run third-party code (moderate risk). No direct download of arbitrary archives or obscure hosts is suggested.
Credentials
The skill requests a single env var, SOMESTUDIO_API_KEY, which is proportionate to its stated purpose. However: the documentation encourages providing the raw API key on the CLI or as an exported env var (both can leak via shell history or process lists); the API key likely grants broad workspace-level access (posting, deleting, listing accounts, creating webhooks, team management). A single API key therefore has high impact; the SKILL.md does not advise least-privilege keys or scopes.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation defaults. It does not request system-wide configuration changes or other skills' credentials. No elevated persistence privileges are apparent.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install so-me-studio - 安装完成后,直接呼叫该 Skill 的名称或使用
/so-me-studio触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.2
Revert bins to [] — fixes OpenClaw npm-install loop.
v0.1.1
Fix: declare 'so-me' as a required bin in SKILL.md frontmatter (was empty array). Resolves the metadata-inconsistency security flag from the v0.1.0 scan.
v0.1.0
Initial release. 143 MCP tools across all so-me.studio resources.
元数据
常见问题
Bundle 是什么?
so-me.studio is a multi-platform social-media scheduler. Schedule posts, manage drafts, reply to inbox messages and post comments, generate AI captions/image... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 93 次。
如何安装 Bundle?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install so-me-studio」即可一键安装,无需额外配置。
Bundle 是免费的吗?
是的,Bundle 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Bundle 支持哪些平台?
Bundle 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Bundle?
由 Yasin047(@yasin047)开发并维护,当前版本 v0.1.2。
推荐 Skills