Social Media Engine
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is aligned with social-media scheduling, but it needs review because it claims posts are drafts by default while the included code and docs can queue or publish posts using your social accounts.
Install only if you are comfortable giving the agent posting access to your Buffer or Postiz-connected social accounts. Before use, change or verify the workflow so posts are saved as drafts by default, require explicit platform/channel selection, and require a final confirmation before anything is queued, scheduled, or published.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could believe every generated post will remain a draft, while the script can instead queue, schedule, or publish content to connected social accounts.
This is a strong safety claim, but the included script defaults show non-draft posting modes unless a draft option is supplied, so users may rely on a protection that is not consistently implemented.
All posts are created as DRAFTS by default — human approval required before publishing.
Make draft mode the actual default in code and examples, and require an explicit publish/schedule flag plus a final confirmation for non-draft posts.
If invoked with connected credentials, the tool can create public or scheduled social posts rather than harmless drafts.
The Buffer path queues posts by default and only saves drafts when opts.draft is set; the Postiz path defaults to immediate posting. This is high-impact social-account mutation without draft-by-default enforcement.
let mode = 'addToQueue'; ... ...(opts.draft ? { saveToDraft: true } : {}); ... let type = 'now'; if (opts.draft) type = 'draft'; else if (opts.schedule) type = 'schedule';Require explicit user-approved platform, channel, content, time, and publish mode before calling the posting API; default to drafts in both Buffer and Postiz paths.
A vague request could become content prepared or posted for every connected account, increasing reputational impact if the post is wrong.
Defaulting to all active platforms when the user did not specify a target can spread one mistaken draft or approval across multiple public channels.
Identify the platform(s). If not specified, ask or default to all active platforms.
Require explicit platform/channel selection before scheduling or publishing, especially for multi-account or brand accounts.
Anyone or any agent workflow using these credentials may be able to list channels and create posts through the connected scheduling service.
The skill needs API keys that can access connected Buffer/Postiz social channels. This is purpose-aligned, but users should recognize it grants posting authority.
requiredEnv: - BUFFER_API_KEY ... - POSTIZ_API_KEY ... permissions: ... Reads .env for credentials
Use least-privilege API keys where available, test on non-critical accounts first, and keep the .env file private.
Following the optional self-hosting guide executes an external installer on the user's server.
The optional Postiz setup guide includes a remote shell installer. It is user-directed and related to self-hosted setup, but it is still a supply-chain-sensitive installation pattern.
curl -fsSL https://get.docker.com | sh
Review Docker/Postiz installation steps, prefer official package-manager instructions where possible, and pin or verify dependencies for production use.