by 安全扫描
OpenClaw
可疑
medium confidenceThe included scripts appear to do exactly what the description says (call Metricool APIs using a Metricool token and user id), but the skill metadata does not declare the required credentials and the package reads local config files (.moltbot/moltbot.json and a workspace .env), which is an inconsistency worth clarifying before installation.
评估建议
What to consider before installing:
- The code and SKILL.md are consistent with a Metricool integration: it needs a Metricool API token (METRICOOL_USER_TOKEN) and user id (METRICOOL_USER_ID) and will call app.metricool.com endpoints. That behavior is expected for this skill.
- The registry metadata did NOT declare these required environment variables or a primary credential. Confirm with the skill author or registry owner why metadata omits the credentials the scripts expect; this inconsistency...详细分析 ▾
ℹ 用途与能力
The code and SKILL.md match the stated purpose: all network calls are to app.metricool.com and the scripts implement listing brands, scheduling posts, listing scheduled posts, and fetching best times. Requested capabilities (access to a Metricool token and user id) are appropriate for this functionality. However, the registry metadata lists no required environment variables or primary credential while both SKILL.md and the scripts clearly expect METRICOOL_USER_TOKEN and METRICOOL_USER_ID — a discrepancy.
ℹ 指令范围
Runtime instructions are narrowly scoped to Metricool functionality and running the provided node scripts. The scripts read credentials from process.env, ~/.moltbot/moltbot.json, and a workspace .env file to auto-detect tokens. They do not contact unexpected remote endpoints or try to read arbitrary system paths beyond those config locations. Reading a workspace .env and the user's .moltbot config is reasonable for credential lookup, but it means the skill will try to read files that may contain other secrets if present.
✓ 安装机制
There is no install spec that downloads remote code; the skill comes with local JS scripts. No external packages or unusual installers are fetched at runtime. This is lower risk from an installation mechanism perspective.
⚠ 凭证需求
The scripts require two specific credentials (METRICOOL_USER_TOKEN and METRICOOL_USER_ID), which are proportionate to the task. The concern is that the registry metadata did not declare these required env vars or primary credential — this mismatch can mislead users or automated vetting. Additionally, the scripts read ~/.moltbot/moltbot.json and a project .env file (which may contain other secrets); while they only parse specific keys, reading these files increases the skill's access surface and should be disclosed.
✓ 持久化与权限
The skill does not request persistent platform privileges (always: false), does not modify other skills or system-wide settings, and does not install background services. It runs on-demand via node scripts or when invoked by the agent.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/1/29
Initial release: Schedule posts to LinkedIn, X, Bluesky, Threads, Instagram, Facebook via Metricool API
● 无害
安装命令 点击复制
官方npx clawhub@latest install metricool
镜像加速npx clawhub@latest install metricool --registry https://cn.clawhub-mirror.com
技能文档
Schedule posts to multiple social platforms through Metricool's API.
Setup
Get your Metricool API token from the Metricool dashboard.
Add environment variables in ~/.moltbot/moltbot.json:
{
"env": {
"vars": {
"METRICOOL_USER_TOKEN": "your-api-token",
"METRICOOL_USER_ID": "your@email.com"
}
}
}
Or in your workspace .env:
METRICOOL_USER_TOKEN=your-api-token
METRICOOL_USER_ID=your@email.com
Scripts
Get Brands
List connected brands and their blog IDs:
node skills/metricool/scripts/get-brands.js
node skills/metricool/scripts/get-brands.js --json
Schedule a Post
node skills/metricool/scripts/schedule-post.js '{
"platforms": ["linkedin", "x", "bluesky", "threads", "instagram"],
"text": "Your post text here",
"datetime": "2026-01-30T09:00:00",
"timezone": "America/New_York",
"blogId": "YOUR_BLOG_ID"
}'
Parameters:
platforms: Array — linkedin, x, bluesky, threads, instagram, facebooktext: String or object with per-platform text (see below)datetime: ISO datetime for schedulingtimezone: Timezone (default: America/Chicago)imageUrl: Optional publicly accessible image URLblogId: Brand ID from get-brands.js
Per-platform text:
{
"text": {
"linkedin": "Full LinkedIn post with more detail...",
"x": "Short X post under 280 chars",
"bluesky": "Bluesky version under 300 chars",
"threads": "Threads version under 500 chars",
"instagram": "Instagram with #hashtags"
}
}
List Scheduled Posts
node skills/metricool/scripts/list-scheduled.js
node skills/metricool/scripts/list-scheduled.js --start 2026-01-30 --end 2026-02-05
Get Best Time to Post
node skills/metricool/scripts/best-time.js linkedin
node skills/metricool/scripts/best-time.js x
Character Limits
| Platform | Limit |
|---|---|
| 3,000 | |
| X/Twitter | 280 |
| Bluesky | 300 |
| Threads | 500 |
| 2,200 |
Image Requirements
- Must be publicly accessible URL (S3, GCS, etc.)
- Recommended formats: PNG, JPG
- Square images work best for Instagram/Threads
- Wide images (1.91:1) work best for X/LinkedIn
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制