Is jackfriks/post-bridge-social-manager safe?

https://github.com/openclaw/skills/tree/main/skills/jackfriks/post-bridge-social-manager

87
SAFE

This skill is a straightforward API documentation wrapper for the Post Bridge social media scheduling service. No executable code, git hooks, or malicious instructions were found in SKILL.md, and the installation process was clean with no suspicious network activity beyond a standard GitHub clone. The primary residual risk is an indirect prompt injection surface created by the instruction to fetch and locally cache external API documentation from post-bridge.com, which could be weaponized if that domain were ever compromised. The high-impact nature of autonomous multi-platform social media posting means users should understand what they are granting before installing.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

MEDIUM External URL fetch instruction creates indirect injection surface -20

Step 5 of the Setup section instructs the agent to download https://api.post-bridge.com/reference and save the result to the workspace as post-bridge-api.json. The agent will subsequently reference this file. If the post-bridge.com domain were compromised or the endpoint returned adversarial markdown/text, those instructions would be silently injected into the agent's working context on the next read.

LOW Binary file upload pathway could be abused for data exfiltration -15

The skill's core upload flow (POST /v1/media/create-upload-url then PUT with binary body) is designed for video files but mechanically supports uploading any binary content. A manipulated agent could be directed to read an arbitrary file and upload it through this pathway. The skill itself does not instruct this, but the API surface exists.

MEDIUM Autonomous social media posting is high-impact if agent is manipulated -22

The skill grants the agent the ability to publish content to TikTok, Instagram, YouTube, Twitter/X, LinkedIn, Pinterest, Facebook, Threads, and Bluesky simultaneously using real connected accounts. An agent operating under a manipulated prompt could post harmful, embarrassing, or unauthorized content at scale. The scheduled_at field also allows pre-programming future posts that a user may not immediately notice.

INFO External binary dependency: ffmpeg -4

The skill declares a hard dependency on ffmpeg (required in metadata bins). ffmpeg is a standard, well-audited open-source tool used here for legitimate frame extraction. No risk beyond what any ffmpeg invocation carries.

INFO Pre-install credential file accesses attributed to audit framework canary setup -10

inotifywait and auditd both recorded read-only accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at epoch 1771937005 — approximately 6 seconds before the git clone began at epoch 1771937011. The batch pattern, timing, and CLOSE_NOWRITE disposition are consistent with the Oathe audit framework initializing its honeypot canary files. Canary integrity check confirms no modifications or exfiltration.