← 返回 Skills 市场
Social Media Engine
作者
Batsirai Chada
· GitHub ↗
· v1.0.0
475
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install social-media-engine
功能描述
Automated social media manager — plan, write, schedule, and analyze content across X/Twitter, LinkedIn, Instagram, TikTok, Facebook, and Pinterest. Integrate...
安全使用建议
What to consider before installing:
- Metadata mismatch: the registry lists no required env vars but the skill requires BUFFER_API_KEY or POSTIZ_API_KEY + POSTIZ_BASE_URL. Treat those keys as necessary before using the scheduler. Ask the publisher to update registry metadata if you rely on automated vetting.
- .env exposure: the included script will try to load a .env from the skill project, the current working directory, and HOME/.openclaw/.env if present. Make sure those .env files do not contain unrelated secrets (AWS keys, DB passwords, agent tokens). Prefer creating a minimal .env that contains only the Buffer/Postiz key you intend to provide.
- Limit API key scope: when possible use API keys with the minimum privileges needed and rotate keys if you test with higher access. Prefer creating a dedicated Buffer/ Postiz API key for this skill rather than reusing an account-wide secret.
- Isolation: run the skill in an isolated environment (container or dedicated account) if you are concerned about accidental access to other credentials or resources.
- Verify the source: the SKILL.md points to a GitHub repo. Inspect that repo yourself (or ask the publisher for the exact commit hash). Confirm there are no hidden endpoints or telemetry beyond Buffer/Postiz calls.
- Affiliate link: README contains an affiliate link (dub.sh/buffer-aff). This is monetization, not a direct technical concern, but be aware the author may have incentive to recommend Buffer.
- If you need stronger guarantees: use a self-hosted Postiz instance you control, or run the scheduling script manually after reviewing its behavior. If you can't verify the registry metadata or repo, treat this skill as higher risk.
If you want, I can: (1) extract and show the exact places the script reads .env and where it writes logs; (2) suggest a minimal .env template you can use; or (3) draft questions to ask the publisher to resolve the metadata mismatch.
功能分析
Type: OpenClaw Skill
Name: social-media-engine
Version: 1.0.0
The skill is classified as suspicious due to a vulnerability in `scripts/post-scheduler.js`. The script attempts to load API keys from `.env` files located in the skill's root, the current working directory (`process.cwd()`), and `~/.openclaw/`. While this is a common configuration pattern, it creates a risk of unintended information disclosure or misuse if other sensitive `.env` files exist in these locations and contain variables named `BUFFER_API_KEY` or `POSTIZ_API_KEY` (or their aliases). The script would then load and potentially use these unintended credentials for its API calls to Buffer or Postiz. There is no evidence of intentional malicious behavior such as arbitrary data exfiltration, persistence mechanisms, or prompt injection attempts to subvert the agent's core function.
能力评估
Purpose & Capability
The skill's name, description, SKILL.md, README, and included script all align: it plans, drafts, and schedules posts via Buffer or a self-hosted Postiz. However the registry metadata lists no required environment variables or primary credential while the SKILL.md and scripts clearly require BUFFER_API_KEY or POSTIZ_API_KEY + POSTIZ_BASE_URL. That metadata mismatch is an incoherence that affects permission review and automated gating.
Instruction Scope
SKILL.md explicitly instructs the agent to run node scripts that call Buffer/Postiz APIs and to read credentials from environment variables or a local .env. The runtime steps (plan, draft, present, then run node scripts to schedule) stay within the declared social-media purpose. The only scope concern: instructions and the script tell the agent to read .env files and write scheduled-post logs — this is expected for a scheduler, but it gives the skill access to any secrets found in those .env files.
Install Mechanism
No install spec is present (instruction-only plus a single JS script). That lowers installation risk because nothing is downloaded at install time and no external archives are extracted. The included code is plain JS and calls public APIs; there are no obfuscated downloads or third‑party installers.
Credentials
Requiring a Buffer API key or Postiz API key is proportionate to a scheduler. But the skill reads .env files from multiple places (project root, current working directory, and HOME/.openclaw) and will populate process.env from any matching lines it finds. Because the registry did not declare the required env vars, users may not realize which secrets will be accessed. Reading HOME/.openclaw/.env or parent .env files can surface unrelated secrets (other API keys) to the skill, which is a privacy/credential exposure risk.
Persistence & Privilege
always: false and no special persistence is requested. The skill does not claim to auto-enable itself or modify other skills. Normal autonomous invocation is allowed (platform default) and is not by itself flagged here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install social-media-engine - 安装完成后,直接呼叫该 Skill 的名称或使用
/social-media-engine触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Buffer-powered social media automation with AI content generation
元数据
常见问题
Social Media Engine 是什么?
Automated social media manager — plan, write, schedule, and analyze content across X/Twitter, LinkedIn, Instagram, TikTok, Facebook, and Pinterest. Integrate... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 475 次。
如何安装 Social Media Engine?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install social-media-engine」即可一键安装,无需额外配置。
Social Media Engine 是免费的吗?
是的,Social Media Engine 完全免费(开源免费),可自由下载、安装和使用。
Social Media Engine 支持哪些平台?
Social Media Engine 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Social Media Engine?
由 Batsirai Chada(@batsirai)开发并维护,当前版本 v1.0.0。
推荐 Skills