← 返回 Skills 市场
mguozhen

Social Reply Bot

作者 mguozhen · GitHub ↗ · v1.2.0 · MIT-0
cross-platform ⚠ suspicious
269
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install social-reply-bot
功能描述
Reddit & X/Twitter auto-reply bot for ecommerce/SaaS growth. Finds relevant posts about AI customer service, Amazon FBA, Shopify — posts genuine AI-generated...
安全使用建议
Key things to check before installing: - The registry metadata omits requirements the code needs (it uses ANTHROPIC_API_KEY and the 'browse' CLI). Treat SKILL.md/README as authoritative and double-check they match what the installer will do. - Do NOT run curl ... | bash without inspection. Download install.sh and setup.sh from the repo and read them locally (or run them in an isolated VM/container) before executing. - The tool requires you to log into Reddit/X in an automated browser session; that gives the software the ability to post using your accounts. This can lead to account suspension if behavior violates platform policies. Consider using throwaway/test accounts first. - The installer registers a macOS LaunchAgent (persistent scheduled runs) and creates files under your home directory — if you don’t want persistent background jobs, skip the installer and run the code manually in a controlled environment. - The code contains hard-coded checks/strings (e.g., account names like 'mguozhen', 'VocAiSage', 'Hunter Guo') that indicate it was tailored to the author’s accounts; expect to review and adapt code before using it with your accounts. - Limit the Anthropic API key you use (billing/permissions) and monitor usage. If possible create a dedicated key with strict limits. - If you lack confidence auditing the install scripts or the code, run the project in an isolated VM or container (or avoid installing) and/or ask the author to provide a reproducible install manifest and to fix the registry metadata mismatches.
功能分析
Type: OpenClaw Skill Name: social-reply-bot Version: 1.2.0 The bundle implements a social media automation bot with several high-risk behaviors and security vulnerabilities. Most critically, `bot/browser.py` contains a shell injection vulnerability where it executes commands via `subprocess.run(shell=True)` using unsanitized string interpolation in functions like `type_text`. The installation scripts (`install.sh` and `setup.sh`) establish persistence on macOS by creating a `LaunchAgent` and insecurely store the `ANTHROPIC_API_KEY` in a local plist file. Additionally, the `SKILL.md` file contains instructions for the AI agent to execute a remote script via `curl | bash` (from `raw.githubusercontent.com`), which is a high-risk pattern for remote code execution and prompt injection.
能力标签
requires-oauth-token
能力评估
Purpose & Capability
The skill claims to be a social auto-reply bot (Reddit + X) which legitimately needs a Claude/Anthropic API key and a browser automation CLI, and the code uses those. However the registry metadata declares no required environment variables or binaries while SKILL.md and the source require ANTHROPIC_API_KEY and the 'browse' CLI. That mismatch between declared requirements and actual code/instructions is incoherent and should be clarified.
Instruction Scope
SKILL.md instructs you to run a one-line installer (curl | bash) from the GitHub repo and to log into your Reddit and X accounts in a browse-controlled Chrome window. The runtime instructions and code will automate browsing, click Google OAuth selectors, post comments, and run a Reddit 'warmup' mode that posts multiple comments. These actions stay within the stated purpose but require interacting with your logged-in browser sessions and performing automated posts — a high-impact capability that should be explicitly acknowledged.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md/README direct users to curl the project's install.sh from raw.githubusercontent.com and pipe it to bash. Although hosted on GitHub (better than a personal IP), piping remote install scripts to shell is high-risk and the installer is described as cloning the repo, installing dependencies, initializing an SQLite DB, and registering a macOS LaunchAgent. You should inspect install.sh and setup.sh before running them.
Credentials
The code explicitly requires ANTHROPIC_API_KEY (and optionally BROWSERBASE_API_KEY / PROJECT_ID). The registry metadata listed no required env vars or primary credential, which is inaccurate. Those environment variables are necessary for the bot to function (AI generation and optional persistent browser sessions). No other unrelated credentials are requested in the code, which is proportionate — but the metadata mismatch is problematic.
Persistence & Privilege
The installer will (per README) register a macOS LaunchAgent to run daily and create files under ~/social-bot and a logs directory; the repo includes install/setup scripts that likely modify your system (install global npm packages, register scheduled jobs). The skill does not claim always:true, but it does request persistent scheduled execution on install — review and approve that behavior before installing.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install social-reply-bot
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /social-reply-bot 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
Redesigned README: professional layout with badges, screenshots, architecture diagram, FAQ, and comprehensive English documentation
v1.1.0
**Reddit account warmup and lead tracking features added** - Added Reddit warmup: build account karma by posting comments in low-moderation subs (natural delays, no product mentions) - Introduced lead tracking: analyze replied posts for customer potential, scoring and extracting business details - Dashboard and CLI updated to support new commands: `warmup`, `leads` - Refined product description and trigger keyword config in documentation - Removed dashboard code and legacy setup script for a more streamlined core - Updated setup instructions for easier installation
v1.0.1
Fix Reddit navigation: open_url return, proper content extraction, stable comment-link nav
v1.0.0
Initial release: Reddit & X auto-reply with AI-generated responses
元数据
Slug social-reply-bot
版本 1.2.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 4
常见问题

Social Reply Bot 是什么?

Reddit & X/Twitter auto-reply bot for ecommerce/SaaS growth. Finds relevant posts about AI customer service, Amazon FBA, Shopify — posts genuine AI-generated... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 269 次。

如何安装 Social Reply Bot?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install social-reply-bot」即可一键安装,无需额外配置。

Social Reply Bot 是免费的吗?

是的,Social Reply Bot 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Social Reply Bot 支持哪些平台?

Social Reply Bot 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Social Reply Bot?

由 mguozhen(@mguozhen)开发并维护,当前版本 v1.2.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论