B2c Marketing 1.0.1
PassAudited by ClawScan on May 10, 2026.
Overview
This is an instruction-only marketing playbook with no code, but it documents using a Post Bridge API key to publish or schedule public social posts, so posting should be explicitly approved by the user.
Use this skill only if you want the agent to help with marketing content and possible social posting. Keep the Post Bridge API key private, connect only the accounts you intend to use, and require confirmation before the agent uploads, schedules, or publishes anything. Also verify the package identity because the registry metadata and _meta.json do not fully match.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following this workflow could create public posts on connected social media accounts.
The skill documents an external posting workflow that can publish or schedule public content across multiple platforms. This is aligned with the marketing purpose, but it is a high-impact action if performed without user review.
Use Post Bridge API to upload and schedule across IG, TikTok, YouTube simultaneously ... Omit for instant post
Require explicit user approval for each upload, schedule, or instant post, and verify captions, platforms, and timing before publishing.
Anyone or any agent with access to that workspace secret may be able to use the connected posting service within the key's permissions.
The workflow relies on a Post Bridge API key tied to connected social accounts. This credential use is expected for the stated purpose, but the registry requirements list no required environment variables or primary credential.
Connect your social accounts ... Get API key from Settings → API ... Store in workspace `.env`: `POST_BRIDGE_API_KEY=pb_live_xxxxx`
Store the API key only in a trusted workspace secret store, use the least-privileged Post Bridge account possible, and rotate/revoke the key if no longer needed.
The package identity is somewhat ambiguous, making it harder to verify authorship or provenance.
This does not match the supplied registry metadata, which lists a different owner ID, slug, and version. The source is also listed as unknown with no homepage.
"ownerId": "kn7568ekefyh405gp7wzcd2ay5813n2n", "slug": "b2c-marketing", "version": "1.0.1"
Confirm the publisher and intended version before installing, especially because the skill involves social account credentials and posting authority.