← 返回 Skills 市场
97
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install viral-content-engine
功能描述
Find trending topics, create editorial-style social media graphics, and post to X/Twitter and Instagram. Includes image generation with photographic backgrou...
安全使用建议
This skill's features align with its description, but it mishandles credentials and metadata is misleading. Before installing:
- Expect to provide OPENAI_API_KEY, BRAVE_API_KEY, and IG_USERNAME/IG_PASSWORD (the registry incorrectly lists none). Treat these as sensitive.
- Do not run it on a multi-user or shared machine: instagram-post.js builds a python -c command that contains your username/password in the command text, which can be visible to other local users via ps/psaux and logs. Better approaches are to use environment variables passed securely, a temporary file with restrictive permissions, or a proper OAuth/session flow.
- Inspect and control the ~/.openclaw directory: the skill will try to read ~/.openclaw/clawdbot.json for keys and will write ~/.openclaw/ig_session.json (containing session info). Review and remove saved session files when no longer needed and rotate passwords if used.
- If you need to run this, prefer running in an isolated VM/container, or modify instagram-post.js to invoke a short Python script file (not inline) and avoid embedding credentials in command lines.
- Confirm you trust the OpenAI key usage (image generations incur cost) and that storing IG credentials in a script/session fits your security posture.
If you want, ask for a secure remediation checklist (minimal code edits to avoid credential exposure) or for a specific code change to reduce the risks identified.
功能分析
Type: OpenClaw Skill
Name: viral-content-engine
Version: 1.0.0
The skill bundle provides social media automation but contains high-risk coding patterns and handles sensitive credentials. Specifically, 'instagram-post.js' and 'viral-search.js' use 'execSync' to execute shell commands with string interpolation, which is highly vulnerable to shell injection. The bundle also manages sensitive data including Instagram passwords and API keys, storing session tokens in '~/.openclaw/ig_session.json'. While these capabilities are aligned with the stated purpose of content creation and posting, the implementation lacks robust input sanitization and relies on risky execution methods.
能力评估
Purpose & Capability
The functionality (find trending content, generate images via OpenAI, and post to X/Instagram) matches the name and description. However the package registry metadata lists no required env vars while SKILL.md and the scripts require several secrets (OPENAI_API_KEY, BRAVE_API_KEY, IG_USERNAME/IG_PASSWORD) and external tools (bird CLI, instagrapi). That metadata mismatch is misleading.
Instruction Scope
The runtime instructions and included scripts do more than a simple 'generate-and-post' flow: they read a user OpenClaw config file (~/.openclaw/clawdbot.json) to obtain a Brave API key, write a persistent session file (~/.openclaw/ig_session.json), and construct/execute an inline Python script via shell. The instagram-post flow inlines credentials into a python -c command string, which can expose secrets in process listings. These behaviors expand scope to the user's filesystem and long-lived session data.
Install Mechanism
This is an instruction-only skill with bundled scripts and no install spec or remote downloads. No extra packages are automatically fetched by the skill installer itself (lowest installer risk).
Credentials
The skill legitimately needs an OpenAI key to generate images and IG credentials to post, and a Brave search key to scrape Instagram via Brave. But the registry claims no required env vars while the code expects them. Additionally, the skill reads an OpenClaw config file for keys (potentially exposing other stored secrets), persists an IG session file in the user's home directory, and inlines usernames/passwords in a shell command (exposes them to other local users/process inspections). These are disproportionate privacy/secret-handling risks if not understood.
Persistence & Privilege
The skill saves an Instagram session file at ~/.openclaw/ig_session.json and reads/writes into ~/.openclaw. That creates persistent credentials/session state on disk. The skill is not always: true, but its file persistence and session-saving behavior increases its long-term footprint and the impact of compromised credentials.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install viral-content-engine - 安装完成后,直接呼叫该 Skill 的名称或使用
/viral-content-engine触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Your AI-powered Instagram content team in a single skill.
Give it a topic → it researches what's trending and viral on X and Instagram → generates editorial-style carousel graphics (photographic backgrounds, dark gradient overlays, bold Bloomberg/Kalshi typography) → posts directly to Instagram and X.
Find: Viral content search with engagement scoring across X/Twitter and Instagram. Trending mode shows what's blowing up right now.
Create: OpenAI gpt-image-1 powered image generation with a battle-tested prompt template that produces consistent, professional editorial graphics every time.
Post: Direct publishing to Instagram (photos, reels, stories, carousels) and X/Twitter with media support.
No paid social APIs needed. Just plug in your OpenAI key and go.
元数据
常见问题
Insta Content Engine 是什么?
Find trending topics, create editorial-style social media graphics, and post to X/Twitter and Instagram. Includes image generation with photographic backgrou... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 97 次。
如何安装 Insta Content Engine?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install viral-content-engine」即可一键安装,无需额外配置。
Insta Content Engine 是免费的吗?
是的,Insta Content Engine 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Insta Content Engine 支持哪些平台?
Insta Content Engine 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Insta Content Engine?
由 kash(@ashmonmc)开发并维护,当前版本 v1.0.0。
推荐 Skills