← 返回 Skills 市场
Social Poster
作者
JPaulGrayson
· GitHub ↗
· v1.0.0
1064
总下载
0
收藏
7
当前安装
1
版本数
在 OpenClaw 中安装
/install social-poster
功能描述
Post to social media via VibePost API. Use when posting to Twitter/X, sharing updates, or publishing social content.
安全使用建议
This skill will post whatever text it is given to an external Replit-hosted API and includes a hardcoded API key inside the script. Before installing, consider the following: (1) The embedded API key is not declared and could allow anyone using the skill to post via that service — ask the author to remove the hardcoded key and require a user-owned key passed via an environment variable. (2) Verify the endpoint and operator (https://vibepost-jpaulgrayson.replit.app) — it's a personal/third-party host, not an official, known provider. (3) Do not send sensitive content through this skill until you trust the endpoint. (4) Prefer a version that documents required credentials in metadata and uses process environment variables (not embedded secrets). If you cannot confirm the maintainer or remove the embedded key, avoid installing or run it only with a disposable/test account.
功能分析
Type: OpenClaw Skill
Name: social-poster
Version: 1.0.0
The skill is classified as suspicious primarily due to a critical vulnerability: a hardcoded API key (`API_KEY`) directly embedded in `scripts/post.mjs`. While the script's stated purpose is benign (posting to a social media API at `https://vibepost-jpaulgrayson.replit.app`), hardcoding sensitive credentials makes them easily discoverable and compromises security. There is no evidence of intentional malicious behavior like data exfiltration, unauthorized command execution, or prompt injection attempts against the agent.
能力评估
Purpose & Capability
The skill's stated purpose (posting to social media via VibePost) matches the included script which performs an HTTP POST to an API. However the endpoint is a personal Replit URL and the script contains a hardcoded API key instead of declaring a credential the user provides — this is unexpected and reduces transparency.
Instruction Scope
SKILL.md and the script are focused on posting text to the VibePost endpoint and do not reference unrelated files, system config, or additional environment variables. The script will send whatever text the agent supplies to an external service, which is consistent with the skill's purpose but is a privacy risk if sensitive content is posted.
Install Mechanism
There is no install spec (instruction-only plus a small script). Nothing is downloaded or written by an install step, which is low-risk in terms of installation mechanics.
Credentials
The skill requests no environment variables or credentials in metadata, yet the script contains a long, hardcoded API key ('quack_...') and uses it to authenticate to a third-party Replit-hosted API. This undeclared embedded credential is a mismatch with the metadata and is risky: it grants posting ability without the user supplying their own key and could be abused.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install social-poster - 安装完成后,直接呼叫该 Skill 的名称或使用
/social-poster触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
Social Poster 是什么?
Post to social media via VibePost API. Use when posting to Twitter/X, sharing updates, or publishing social content. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1064 次。
如何安装 Social Poster?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install social-poster」即可一键安装,无需额外配置。
Social Poster 是免费的吗?
是的,Social Poster 完全免费(开源免费),可自由下载、安装和使用。
Social Poster 支持哪些平台?
Social Poster 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Social Poster?
由 JPaulGrayson(@jpaulgrayson)开发并维护,当前版本 v1.0.0。
推荐 Skills