← 返回 Skills 市场
202
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install social-bot
功能描述
Reddit & X/Twitter auto-reply bot for ecommerce/SaaS growth. Finds relevant posts about AI customer service, Amazon FBA, Shopify — posts genuine AI-generated...
安全使用建议
Key things to consider before installing: (1) Do NOT run the one-line `curl | bash` blindly — review install.sh and setup.sh contents first. (2) This tool requires your ANTHROPIC_API_KEY and will send scraped post content/snippets to Anthropic for reply generation; ensure you are comfortable with that data leaving your machine. (3) The bot controls a real browser session via the browse CLI; run it in a dedicated browser profile or VM so other logged-in accounts/cookies aren't accessible. (4) The installer may register a scheduled job and run a local web dashboard—check and approve those actions manually. (5) Automated posting/warmup can violate Reddit/X policies and risk account suspension; consider the policy and legal/ethical implications. (6) If you want to proceed, audit the GitHub repo and install scripts, run in an isolated environment (VM/container), and limit the Anthropic key's billing/permissions if possible.
功能分析
Type: OpenClaw Skill
Name: social-bot
Version: 1.0.0
This skill bundle implements an automated social media bot for Reddit and X/Twitter using browser automation and AI-generated replies. It is classified as suspicious due to significant security vulnerabilities and high-risk behaviors, including a potential shell injection vulnerability in `bot/browser.py` where strings are passed to `subprocess.run(shell=True)` with insufficient sanitization. The `install.sh` script establishes persistence via a macOS LaunchAgent and stores the user's `ANTHROPIC_API_KEY` in a plaintext `.plist` file. While the bot's core functionality (automated posting and bypassing karma limits in `warmup_reddit.py`) is aggressive, there is no clear evidence of intentional malice such as data exfiltration or unauthorized remote access.
能力评估
Purpose & Capability
The code and SKILL.md align with the declared purpose: automated replies on Reddit and X via browser automation and Claude (Anthropic). However the package/registry metadata claims no required env vars or install steps while SKILL.md and code require ANTHROPIC_API_KEY, the browse CLI, and provide install scripts—this metadata mismatch is an incoherence the user should notice.
Instruction Scope
Runtime instructions and code perform broad actions: control a local Chrome session via the browse CLI (including logging in via Google OAuth), scrape pages, post comments/replies, and send post content/snippets to Anthropic. These actions are consistent with purpose but have broader scope than a simple 'reply helper' (e.g., account warmup, LaunchAgent scheduling, dashboard web server). The SKILL.md also instructs running a remote install script (curl | bash), which grants arbitrary install-time discretion.
Install Mechanism
No formal install spec in registry, but SKILL.md tells users to run `curl .../install.sh | bash` from raw.githubusercontent.com. The repository includes install.sh/setup.sh and a macOS LaunchAgent registration step. Executing a remote install script (pipe-to-shell) is high-risk—inspect the script before running and prefer manual install steps or running in an isolated environment.
Credentials
The code only requires an ANTHROPIC_API_KEY (as used by bot/ai_engine.py) which is proportional to its use of Claude. However registry metadata did not declare this env var; the SKILL.md does. Also the browse CLI will use a real browser session (cookies, logged-in accounts) which gives the skill access to any accounts signed in to that browser profile—this is sensitive and should be isolated.
Persistence & Privilege
Although always:false, the install instructions advertise registering a macOS LaunchAgent to run daily and start a local dashboard (Flask). That creates persistent scheduled execution and an always-on web endpoint on localhost. This is expected for a bot but is a privilege escalation relative to a purely ephemeral skill install—inspect install.sh and be comfortable with background scheduled tasks before proceeding.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install social-bot - 安装完成后,直接呼叫该 Skill 的名称或使用
/social-bot触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of the social-reply-bot for automated Reddit and X/Twitter engagement.
- Finds and replies to relevant posts about ecommerce, Amazon FBA, and AI customer service using AI-generated, on-topic replies.
- Includes automated Reddit account warmup to build karma for account legitimacy.
- Tracks and scores potential customer leads with urgency and pain point analysis.
- Provides CLI commands for running replies, warmup routines, lead review, and stats.
- No Reddit or X API keys needed; operates via browser automation with SQLite deduplication.
元数据
常见问题
Social Bot 是什么?
Reddit & X/Twitter auto-reply bot for ecommerce/SaaS growth. Finds relevant posts about AI customer service, Amazon FBA, Shopify — posts genuine AI-generated... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 202 次。
如何安装 Social Bot?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install social-bot」即可一键安装,无需额外配置。
Social Bot 是免费的吗?
是的,Social Bot 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Social Bot 支持哪些平台?
Social Bot 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Social Bot?
由 mguozhen(@mguozhen)开发并维护,当前版本 v1.0.0。
推荐 Skills