Typefully Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Typefully API wrapper, but it needs a Typefully API key and can create, schedule, publish, edit, or delete social drafts when invoked.
Install only if you are comfortable giving the skill a Typefully API key and sending draft content to Typefully. Require explicit confirmation before deleting drafts or publishing immediately, and verify prerequisites manually because the registry metadata omits some disclosed requirements.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong draft ID, schedule, or platform, the agent could publish or delete social content through Typefully.
The skill exposes account-mutating and potentially public-posting actions. They are disclosed and purpose-aligned, but should be user-confirmed because mistakes can publish or delete content.
`schedule-draft <draft_id> <iso8601|next-free-slot|now>` ... `delete-draft <draft_id>` ... `publish_at: "now" publishes immediately — use with caution`
Ask the agent to show the target draft, platforms, text, and time before deleting or publishing, especially when using `now`.
Anyone or any agent process with access to the configured API key may be able to manage drafts in the associated Typefully account.
The script uses a Typefully API key from an environment variable or password store and sends it as a Bearer token to Typefully. This is expected for the integration, but it grants account authority.
API_KEY="${TYPEFULLY_API_KEY:-}" ... API_KEY=$(pass typefully/api-key 2>/dev/null) ... -H "Authorization: Bearer ${API_KEY}"Use a scoped Typefully API key if available, keep it in a secure environment or password store, and revoke or rotate it if no longer needed.
Installers or users relying only on registry metadata may not realize the skill needs local tools and a Typefully credential.
The registry metadata does not declare prerequisites that SKILL.md and README.md disclose, including TYPEFULLY_API_KEY, curl, python3, and optional pass. This is a metadata/provenance gap rather than hidden behavior.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Verify the README/SKILL.md setup steps manually before use and ensure curl, python3, and the intended credential source are available.
Content you ask the agent to draft or schedule will be transmitted to Typefully and handled under that service's account and privacy controls.
Draft text, platform selections, and scheduling data are sent to Typefully's API. The destination is clear and purpose-aligned.
API_BASE="https://api.typefully.com/v2" ... api POST "/social-sets/${SOCIAL_SET_ID}/drafts" -d "$body"Do not send sensitive or private draft content unless you are comfortable storing or processing it in Typefully.