Social Media Assistant (via postsyncer.com)
ReviewAudited by ClawScan on May 10, 2026.
Overview
Review before installing: this looks like a disclosed PostSyncer integration, but it can use your token to publish, edit, and delete social-media content across connected accounts without a clearly shown approval gate for every public action.
Install only if you are comfortable letting the agent act on connected PostSyncer social accounts. Use a tightly scoped API token, keep it in the environment, verify workspace/account IDs before use, and require explicit confirmation before publishing, scheduling, editing, deleting, or commenting.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could publish or modify content on connected social accounts, potentially causing reputational or business impact.
The skill gives the agent raw API/MCP-style authority to perform social-media mutations, including public posting workflows. This is aligned with the stated purpose, but the provided artifact excerpt does not clearly require explicit approval before public create/update/schedule actions.
Autonomously manage social media ... scheduling, posting, or managing content ... post CRUD ... Use `web_fetch`, `curl`, or any HTTP tool available.
Require explicit user review before publishing, scheduling, updating, deleting, or commenting; bind actions to specific workspace/account IDs; and preview post content before API calls.
Anyone or any agent process with this token could act within the token's PostSyncer permissions.
The requested bearer token is expected for PostSyncer, but it may grant broad authority over connected workspaces, accounts, posts, and campaign metadata.
create a personal access token with abilities: `workspaces`, `accounts`, `posts`, and (if you use them) `labels`, `campaigns`
Use the least-privileged token available, limit it to the needed workspace and abilities if PostSyncer supports that, store it only in the environment, and revoke it when no longer needed.
If configured with an untrusted or incorrect MCP endpoint, the same PostSyncer token and social-media authority could be exposed to that tool connection.
The optional MCP path would reuse the same powerful token and expose similar account/media/post tools through an MCP tool boundary.
PostSyncer MCP ... uses the **same Bearer token** as REST. Typical tools: `list-workspaces`, `list-accounts`, post CRUD, **`list-media`** ... **`delete-media`**
Use only the official PostSyncer MCP configuration, verify the endpoint, and avoid enabling MCP unless you need it.