Social Media Engine

What to consider before installing: - Metadata mismatch: the registry lists no required env vars but the skill requires BUFFER_API_KEY or POSTIZ_API_KEY + POSTIZ_BASE_URL. Treat those keys as necessary before using the scheduler. Ask the publisher to update registry metadata if you rely on automated vetting. - .env exposure: the included script will try to load a .env from the skill project, the current working directory, and HOME/.openclaw/.env if present. Make sure those .env files do not contain unrelated secrets (AWS keys, DB passwords, agent tokens). Prefer creating a minimal .env that contains only the Buffer/Postiz key you intend to provide. - Limit API key scope: when possible use API keys with the minimum privileges needed and rotate keys if you test with higher access. Prefer creating a dedicated Buffer/ Postiz API key for this skill rather than reusing an account-wide secret. - Isolation: run the skill in an isolated environment (container or dedicated account) if you are concerned about accidental access to other credentials or resources. - Verify the source: the SKILL.md points to a GitHub repo. Inspect that repo yourself (or ask the publisher for the exact commit hash). Confirm there are no hidden endpoints or telemetry beyond Buffer/Postiz calls. - Affiliate link: README contains an affiliate link (dub.sh/buffer-aff). This is monetization, not a direct technical concern, but be aware the author may have incentive to recommend Buffer. - If you need stronger guarantees: use a self-hosted Postiz instance you control, or run the scheduling script manually after reviewing its behavior. If you can't verify the registry metadata or repo, treat this skill as higher risk. If you want, I can: (1) extract and show the exact places the script reads .env and where it writes logs; (2) suggest a minimal .env template you can use; or (3) draft questions to ask the publisher to resolve the metadata mismatch.