The organic growth playbook behind 300K+ app downloads. Your AI becomes a growth coach trained on the exact system that drove 500M+ views and $30K+ revenue.
Security Analysis
medium confidenceThe skill's requests and instructions are coherent with a social-posting/growth coach: it asks for a single posting API key to programmatically create drafts/posts and describes persistent logging of performance data; nothing in the bundle contradicts that purpose, but there are a few operational unknowns you should confirm before granting access.
The skill is a B2C mobile-app marketing coach that promises to generate and post short-form content. Requesting a single POST_BRIDGE_API_KEY (a posting/bridge API key) is a reasonable and proportionate credential for a skill that automates uploads/drafts to social platforms. References to image-generation, analytics, and a 'posting tool' (Postiz/Post-Bridge) are examples consistent with its stated purpose.
SKILL.md instructs the agent to act as both coach and execution engine: create accounts, engage, generate content (including images/text overlays), and post content (upload as drafts via API). It also instructs persisting performance data ('memory files'). The instructions do not tell the agent to read unrelated system files or scrape unrelated credentials, but they do permit sending user content and metrics to external services (posting bridge, image APIs, analytics services). Confirm you accept those outbound calls and persistent logs.
This is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing will be downloaded or written by an installer from unknown URLs as part of skill setup.
Only one environment variable is declared (POST_BRIDGE_API_KEY) and set as primary, which is proportionate for a skill that needs a posting bridge. SKILL.md mentions other services (OpenAI image APIs, RevenueCat analytics, WhatsApp) as examples but does not request credentials for them; verify whether the platform will supply those credentials or the skill will request them at runtime. If the bridge key can post/publish on your behalf, treat it as a powerful credential and scope it carefully.
always:false (normal). The skill describes persistent 'memory files' to log posts and performance across sessions but declares no config paths. Confirm where persistent data will be stored (platform-managed skill storage vs. external storage) and what data is retained (post content, analytics, follower counts, comment text). Also confirm whether posting is only drafted or can be auto-published — the SKILL.md describes drafts + human finalization, but you should verify enforcement.
Guidance
This skill appears to do what it says: coach you and programmatically create/upload short-form posts using a posting bridge. Before installing, verify the following: (1) what service accepts POST_BRIDGE_API_KEY (who runs it and their privacy/security practices), (2) whether that key can publish posts live or only create drafts (prefer draft-only permissions), (3) what persistent storage will be used for 'memory files' and what data is saved, and (4) whether the skill will request further credentials at runtime (OpenAI, analytics, WhatsApp). If possible, provide a scoped API key tied to a throwaway/posting-only account rather than your main brand account, and test with non-sensitive content first. If you are not comfortable granting a third-party posting API broad rights, do not supply the POST_BRIDGE_API_KEY.
Latest Release
v2.0.6
- Updated phase 2 instructions for account warmup, now called "Building Community Presence," with revised guidance on initial engagement instead of strict no-posting. - Adjusted language throughout phase 2 for clarity and reduced risk of new accounts being flagged by algorithms. - Revised activity and coaching advice to reflect more nuanced guidance on establishing trust and presence. - Minor wording improvements and clarifications in posting and manual activity recommendations.
More by @jackfriks
Published by @jackfriks on ClawHub
