Typefully Skill
v1.0.0Create, schedule, list, edit, and delete drafts on Typefully. Supports single tweets, threads, and multi-platform posts (X, LinkedIn, Threads, Bluesky, Masto...
⭐ 2· 352·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description (manage Typefully drafts: create, schedule, list, edit, delete) matches the included script and SKILL.md. However, the registry metadata in the provided manifest lists no required environment variables or primary credential, while SKILL.md and scripts/typefully.sh clearly require TYPEFULLY_API_KEY (and optionally TYPEFULLY_SOCIAL_SET_ID). This mismatch is an integrity/metadata concern (likely an authoring or packaging oversight) but not, by itself, evidence of malicious intent.
Instruction Scope
SKILL.md and scripts/typefully.sh confine actions to Typefully's v2 API (https://api.typefully.com/v2). The script only reads TYPEFULLY_API_KEY (or a specific pass store entry) and TYPEFULLY_SOCIAL_SET_ID (or a specific pass entry), performs HTTP calls to the Typefully API, and prints JSON. It does not read arbitrary files, send data to unrelated endpoints, or perform hidden/background tasks. It does invoke 'pass' when used, but only for the explicit keys 'typefully/api-key' and 'typefully/social-set-id'.
Install Mechanism
There is no install spec — this is instruction-only with an included shell script. Nothing is downloaded from external or untrusted URLs during install. The included script is plain shell; no archive downloads, no brew/npm installs are invoked by the skill itself.
Credentials
The actual runtime requires TYPEFULLY_API_KEY (and optionally TYPEFULLY_SOCIAL_SET_ID); those are proportional to the stated purpose. The concern is that the registry metadata lists 'Required env vars: none' and 'Primary credential: none' which is inconsistent with SKILL.md/scripts. This mismatch could lead users or automated systems to install the skill without realizing it needs an API key, or to grant credentials incorrectly. No unrelated secrets or broad system credentials are requested by the script.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. It can be invoked autonomously (disable-model-invocation is false) which is normal; note that autonomous invocation plus a provided API key gives the agent the ability to create/schedule/publish social posts on your behalf — this is expected for a posting skill but worth explicit user consideration.
What to consider before installing
This skill appears to implement exactly what it says (managing Typefully drafts) and its code only talks to api.typefully.com, but the registry metadata omits the required API key. Before installing: 1) Verify the skill source (check the GitHub homepage and confirm the repo and author). 2) Confirm you are comfortable granting TYPEFULLY_API_KEY — this key allows creating, scheduling, editing, and deleting posts (including publishing immediately). Prefer creating a key with minimal scope or be ready to revoke it. 3) Test with read-only commands first (list-social-sets, list-drafts) to confirm expected behavior. 4) Ask the skill publisher to update the registry metadata to declare TYPEFULLY_API_KEY and TYPEFULLY_SOCIAL_SET_ID so automated systems and other reviewers are not misled. If you plan to allow autonomous agent actions, be explicit in policy about 'publish_at: "now"' since the agent could publish content immediately.Like a lobster shell, security has layers — review code before you run it.
latestvk97f98k5315z3z9s9fkdqw827581r498
License
MIT-0
Free to use, modify, and redistribute. No attribution required.