Social Post

Post and reply to X/Twitter and Farcaster with text and images. Features multi-account support, auto-variation to avoid duplicate content detection, draft preview, character validation, threads, replies, and image uploads. Consumption-based pricing for X API, pay-per-cast for Farcaster.

This skill is functionally aligned with its stated goal (posting to X and Farcaster) but has multiple red flags you should resolve before installing or using it with real credentials: - Missing dependency declarations: the code calls node, npm, and inlined node scripts and uses Python libraries (requests, requests_oauthlib), but the registry only lists bash, curl, jq, python3, shuf. Add node/npm and the Python deps or run in a controlled environment. - High-value secrets: Farcaster requires custodyPrivateKey and signerPrivateKey in a JSON file. These are wallet private keys — anyone with them can spend funds and post as you. Do NOT populate the credentials file on a machine you don't control or expose those keys to an untrusted environment. - Hard-coded absolute paths: scripts reference /home/phan_harry/.openclaw and a farcaster-agent workspace repo. Update paths to be configurable (e.g., respect $HOME or an env var) and avoid referencing other skills' repos on disk. - Autonomy risk: the skill can run without interactive confirmation (there is a --yes flag and the agent may invoke the skill autonomously). With private keys present it could post or spend funds; only enable autonomous invocation if you trust the skill and its maintainer. - Missing install instructions for npm dependencies: the Farcaster posting uses '@farcaster/hub-nodejs', ethers, and a local x402 submit implementation. Verify and audit those JS dependencies (npm install) before running; run in an isolated/sandboxed environment. - Behaviour to consider: the 'auto-variation' feature is explicitly designed to bypass duplicate-detection — that may violate platform rules; consider whether you want that capability. Recommended actions before use: 1) Review the full code (especially lib/farcaster.sh and any JS files under the referenced farcaster-agent repo). 2) Remove or change hard-coded paths to use configurable locations. 3) Ensure metadata lists all required env vars and binaries (including node/npm and Farcaster credential file). 4) Test in a throwaway account and in an isolated environment. 5) If you will store private keys, use hardware wallets or a secure signing service rather than plaintext files when possible. 6) If you do not trust the author, do not provide your Farcaster private keys or production X credentials.

Type: OpenClaw Skill Name: social-post Version: 1.4.0 The skill is classified as suspicious due to its reliance on unstated external dependencies for core functionality. Specifically, `lib/twitter.sh` attempts to execute `/home/phan_harry/.openclaw/workspace/scripts/twitter-post.sh` for text-only Twitter posts, but this script is not included in the bundle. Additionally, `lib/farcaster.sh` implicitly depends on the internal file structure and code (`./src/x402`) of another OpenClaw skill located at `/home/phan_harry/.openclaw/workspace/skills/farcaster-agent/repo`, which introduces a supply chain risk. While the skill's stated purpose is benign and its direct code does not show malicious intent, these unmanaged external dependencies elevate its risk profile.