← 返回 Skills 市场
781
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install typefully-social-media
功能描述
Create, schedule, and manage social media posts via Typefully. ALWAYS use this skill when asked to draft, schedule, post, or check tweets, posts, threads, or social media content for Twitter/X, LinkedIn, Threads, Bluesky, or Mastodon.
安全使用建议
This skill appears to be a legitimate Typefully CLI wrapper, but there are two red flags you should consider before installing or running it:
1) Metadata mismatch: The registry entry does not declare the TYPEFULLY_API_KEY even though the SKILL.md and included script require it. Ask the publisher (or the skill source) to update the metadata to declare TYPEFULLY_API_KEY as a required credential so automated checks and users can see this up front.
2) Endpoint override: The script honors TYPEFULLY_API_BASE (for tests/self-hosting) but this is not documented in setup. If an attacker can set that environment variable, they could redirect API calls (and capture the API key). Before using, verify the skill's source (prefer an official Typefully-published package or GitHub org), inspect the included scripts yourself, and only set TYPEFULLY_API_KEY in a safe environment. If you must test this skill, run it in an isolated environment (container or dedicated test account) and avoid using your primary Typefully account until you are satisfied with the code and metadata.
If you need to proceed: confirm the skill's publisher identity, update metadata to include TYPEFULLY_API_KEY, and ensure TYPEFULLY_API_BASE is not set (or is set only to a trusted value). If you cannot confirm the source, treat it with caution.
功能分析
Type: OpenClaw Skill
Name: typefully-social-media
Version: 0.1.0
The skill bundle is classified as **benign**.
The `SKILL.md` file is exceptionally well-crafted to prevent prompt injection and misuse by the AI agent. It explicitly forbids the agent from searching for API keys in sensitive locations (e.g., macOS Keychain, `.env` files, system folders), constructing complex shell commands to find credentials, or writing notes to local files instead of the designated `--scratchpad` API option. It also includes strong automation guidelines to prevent spamming or unauthorized actions.
The `scripts/typefully.js` script, which is the core logic, uses only built-in Node.js modules and interacts solely with the Typefully API (`api.typefully.com`). It handles API keys and configuration in a secure manner, prioritizing environment variables and offering to integrate local configuration files with `.gitignore` to prevent accidental exposure. Input arguments are parsed and validated, and there are no apparent shell injection vulnerabilities. The `sanitizeFilename` function is a good security practice. A minor functional bug was identified in `cmdMediaUpload` where the `Content-Type` header is explicitly *not* set during S3 uploads, which could lead to incorrect media handling or upload failures, but this is a functional flaw, not indicative of malicious intent or a security vulnerability. There is no evidence of data exfiltration, persistence mechanisms, or other malicious activities.
能力评估
Purpose & Capability
Name/description match the included code and SKILL.md: this is a Typefully CLI/skill for drafting, scheduling, and publishing social posts. However, the registry metadata lists no required environment variables or primary credential, while both SKILL.md and scripts/typefully.js require a TYPEFULLY_API_KEY (or config files). The metadata omission is an inconsistency that could mislead users or automated reviewers.
Instruction Scope
The SKILL.md stays on-topic and explicitly forbids searching the system for credentials. The runtime instructions and the CLI implementation only read: (1) TYPEFULLY_API_KEY env var, (2) ./ .typefully/config.json in the working directory, and (3) ~/.config/typefully/config.json — all reasonable for a CLI that stores API keys. The skill will call the Typefully API endpoint (default) to perform actions. There is no instruction to read unrelated system files or exfiltrate data, but the doc and code do reference other project files (e.g., CLAUDE.md / AGENTS.md) for “project context” which is reasonable but grants the agent discretion to look at repo-local files.
Install Mechanism
There is no install spec (instruction-only installation), and the included script is a zero-dependency Node.js CLI that runs locally. This is a low-risk install model compared with downloading arbitrary archives. The skill will be executed via the provided script (allowed-tools).
Credentials
The skill requires an API key (TYPEFULLY_API_KEY) to function, but the registry metadata does not declare this required environment variable or a primary credential — a mismatch that reduces transparency. Additionally, the script supports overriding the API base via TYPEFULLY_API_BASE (useful for testing/self-hosting) but this override is not documented in the SKILL.md's 'Setup' section; an attacker or misconfiguration could point that to an arbitrary endpoint to intercept the API key. Overall, the environment access requested is reasonable for the stated purpose, but the lack of metadata declaration and the undocumented endpoint override create a proportionality concern.
Persistence & Privilege
The skill does not request permanent presence (always is false) and does not modify other skills or system-wide settings. It reads and writes only its own expected config paths (project-local and user-global Typefully config) which is typical for a CLI tool.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install typefully-social-media - 安装完成后,直接呼叫该 Skill 的名称或使用
/typefully-social-media触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of the Typefully social media skill for drafting, scheduling, and publishing posts via Typefully's API and CLI.
- Enables drafting, scheduling, and managing posts for X/Twitter, LinkedIn, Threads, Bluesky, and Mastodon from one tool.
- Provides clear setup, configuration, and troubleshooting guidance (including API key priority and error handling).
- Describes workflow for handling multiple social media accounts (“social sets”) and setting defaults.
- Documents common posting actions, multi-platform publishing, and tag usage for content organization.
- Emphasizes best practices for error handling and user prompts.
元数据
常见问题
Typefully 是什么?
Create, schedule, and manage social media posts via Typefully. ALWAYS use this skill when asked to draft, schedule, post, or check tweets, posts, threads, or social media content for Twitter/X, LinkedIn, Threads, Bluesky, or Mastodon. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 781 次。
如何安装 Typefully?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install typefully-social-media」即可一键安装,无需额外配置。
Typefully 是免费的吗?
是的,Typefully 完全免费(开源免费),可自由下载、安装和使用。
Typefully 支持哪些平台?
Typefully 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Typefully?
由 frankdilo(@frankdilo)开发并维护,当前版本 v0.1.0。
推荐 Skills