Postiz Extended
Schedule and manage social media posts via Postiz API (self-hosted or cloud). Direct API integration — no n8n dependency. Supports X/Twitter, LinkedIn, Bluesky with platform-specific character limits. Includes deduplication, scheduling, media upload, and thread creation. WHAT IT CAN DO: - Schedule posts to 28+ channels (X, LinkedIn, Bluesky, Reddit, Instagram, Facebook, Threads, YouTube, TikTok, Pinterest, Mastodon, and more) - Multi-platform posting in a single API call with platform-adapted content - X/Twitter thread creation for longer content - Media upload (file and URL) - Find next available posting slot per channel - List, query, update, and delete scheduled posts - Deduplication workflow (check existing before posting) - Platform-specific character limits and content tone guidance - Post state management (QUEUE, PUBLISHED, ERROR, DRAFT) - Helper script for quick posting with auto-validation USE WHEN: scheduling social media posts, creating multi-platform content, managing a posting calendar, uploading media for social posts, checking post status, creating X/Twitter threads, or automating social media workflows.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 2 · 1.3k · 0 current installs · 0 all-time installs
duplicate of @coolmanns/postiz-extended
canonical: @nevo-david/postiz
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and SKILL.md consistently target the Postiz API and social posting workflows, and the included helper scripts align with that purpose. However, the skill declares no required credentials or primaryEnv even though the instructions require authenticating to a Postiz instance. That omission is a design inconsistency.
Instruction Scope
The runtime instructions directly instruct running curl commands against https://postiz.home.mykuhlmann.com and saving cookies to /tmp/postiz-cookies.txt. The SKILL.md contains a hard-coded login example including an email and plaintext password (sascha@mykuhlmann.com / Postiz2026!). Providing live credentials in the README is unsafe and could be used by the agent or anyone who copies the examples. The instructions also instruct uploading local files and reading local paths (e.g., /path/to/image.png), which are expected for the purpose but mean the skill will interact with user filesystem and an external host.
Install Mechanism
No install spec is provided (instruction-only), which reduces installer risk. However, the package does include two Python scripts (scripts/post.py and scripts/check_duplicates.py). The presence of on-disk scripts is consistent with the 'helper script' claim, but those files should be reviewed for network calls, subprocess execution, and any file-system or credential-handling behavior before trusting them.
Credentials
The skill declares no required environment variables or primary credential, yet the workflow requires authenticating to a Postiz instance (cookies or credentials) to operate. Example credentials are embedded in SKILL.md rather than being defined as required/optional env vars or secrets, which is poor practice and risks accidental credential reuse or leakage. The skill does not request unrelated cloud credentials, but the lack of explicit credential handling is disproportionate to secure usage.
Persistence & Privilege
The skill does not set always:true or disableModelInvocation:true, so the default is that the model may invoke it autonomously when eligible. Because the skill's instructions perform network operations against an external host and can upload media/read local file paths, allowing autonomous invocation plus external API access increases the risk of unintended data transmission. Consider disabling autonomous invocation or restricting the skill if you do not want the model to make external API calls without an explicit prompt.
What to consider before installing
Do not install blindly. Specific recommendations:
- Inspect the two included scripts (scripts/post.py and scripts/check_duplicates.py) before installing: search for network calls, subprocess.exec/OS calls, hard-coded secrets, or code that reads arbitrary files or posts data to remote hosts.
- Treat the hard-coded credential in SKILL.md (sascha@mykuhlmann.com / Postiz2026!) as sensitive: assume it may be live. If you or your team used these credentials, rotate them immediately. If you copy examples, replace credentials with environment variables or prompt-based input.
- Ask the publisher for a source repository or homepage; lack of origin reduces trust. If you cannot verify the source, run the skill in an isolated environment or sandbox.
- Require the skill to declare required credentials (e.g., POSTIZ_EMAIL, POSTIZ_PASSWORD or an API token) instead of embedding them in docs, and prefer using an API token scoped to the account.
- If you do not want automatic network calls, set disableModelInvocation:true for this skill or only use it via explicit user-invocation.
- If you want further help, paste the contents of scripts/post.py and scripts/check_duplicates.py so they can be reviewed for risky patterns (shell execution, arbitrary remote hosts, secret exfiltration).Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.1
Download ziplatestpostizsocial-media
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Postiz Social Media Scheduler
Direct API integration for social media posting. No n8n workflows needed.
Quick Reference
| Platform | Integration ID | Character Limit | Handle |
|---|---|---|---|
| X/Twitter | cml5lbs3h0001o6l6gagj9gcq | 280 | @CoolmannSa |
cml5k1d710001s69hwekkhx1p | 3,000 | kuhlmannsascha | |
| Bluesky | cml5mre6w0009o6l6svc718ej | 300 | coolmanns.bsky.social |
Platform Content Guidelines
X/Twitter (280 chars)
- Short, punchy content
- 1-2 hashtags max
- Links count as 23 chars (t.co shortening)
- Threads for longer content (multiple tweets)
LinkedIn (3,000 chars)
- Professional tone
- Can be longer-form
- Hashtags at end (3-5 recommended)
- First 140 chars show in preview — make them count!
Bluesky (300 chars)
- Similar to X but slightly more room
- No official hashtag support (use sparingly)
- Growing tech/developer audience
Authentication
# Login and save cookie (required before any API call)
curl -s -c /tmp/postiz-cookies.txt \
'https://postiz.home.mykuhlmann.com/api/auth/login' \
-H 'Content-Type: application/json' \
-d '{"email":"sascha@mykuhlmann.com","password":"Postiz2026!","provider":"LOCAL"}'
Cookie expires periodically. Re-run login if you get 401 errors.
Find Next Available Slot
curl -s -b /tmp/postiz-cookies.txt \
'https://postiz.home.mykuhlmann.com/api/posts/find-slot/INTEGRATION_ID'
Returns the next open time slot for a given channel. Useful for auto-scheduling without conflicts.
Upload Media from URL
curl -s -b /tmp/postiz-cookies.txt \
'https://postiz.home.mykuhlmann.com/api/media/upload-from-url' \
-H 'Content-Type: application/json' \
-d '{"url": "https://example.com/image.png"}'
Creating Posts
Schedule a Post (Single Platform)
curl -s -b /tmp/postiz-cookies.txt \
'https://postiz.home.mykuhlmann.com/api/posts' \
-H 'Content-Type: application/json' \
-d '{
"type": "schedule",
"date": "2026-02-05T15:00:00Z",
"posts": [{
"integration": {"id": "cml5lbs3h0001o6l6gagj9gcq"},
"value": [{"content": "Your tweet here (max 280 chars)", "image": []}],
"settings": {"__type": "x"}
}]
}'
Multi-Platform Post (Adapted Content)
curl -s -b /tmp/postiz-cookies.txt \
'https://postiz.home.mykuhlmann.com/api/posts' \
-H 'Content-Type: application/json' \
-d '{
"type": "schedule",
"date": "2026-02-05T15:00:00Z",
"posts": [
{
"integration": {"id": "cml5lbs3h0001o6l6gagj9gcq"},
"value": [{"content": "Short X version (280 chars max)", "image": []}],
"settings": {"__type": "x"}
},
{
"integration": {"id": "cml5k1d710001s69hwekkhx1p"},
"value": [{"content": "Longer LinkedIn version with more context and professional tone. Can be up to 3000 characters.", "image": []}],
"settings": {"__type": "linkedin"}
},
{
"integration": {"id": "cml5mre6w0009o6l6svc718ej"},
"value": [{"content": "Bluesky version (300 chars max)", "image": []}],
"settings": {"__type": "bluesky"}
}
]
}'
Post Types
schedule— Auto-publish at specified date/timedraft— Save for review (won't auto-publish)now— Publish immediately
Listing & Querying Posts
Get Posts by Date Range (Required!)
curl -s -b /tmp/postiz-cookies.txt \
'https://postiz.home.mykuhlmann.com/api/posts?startDate=2026-02-01T00:00:00Z&endDate=2026-02-08T00:00:00Z' \
| jq '.posts[] | {id, state, publishDate, platform: .integration.providerIdentifier, content: .content[0:60]}'
Check for Duplicates Before Posting
# Get recent posts and check content similarity
curl -s -b /tmp/postiz-cookies.txt \
'https://postiz.home.mykuhlmann.com/api/posts?startDate=2026-02-01T00:00:00Z&endDate=2026-02-08T00:00:00Z' \
| jq -r '.posts[] | "\(.integration.providerIdentifier): \(.content[0:80])"'
Post States
| State | Description |
|---|---|
QUEUE | Scheduled, waiting to publish |
PUBLISHED | Successfully posted |
ERROR | Failed to publish |
DRAFT | Saved but not scheduled |
Media Upload
Upload Image
# Upload returns {id, path}
curl -s -b /tmp/postiz-cookies.txt \
'https://postiz.home.mykuhlmann.com/api/media/upload-simple' \
-F 'file=@/path/to/image.png'
Use in Post
"value": [{
"content": "Post with image",
"image": [{"id": "MEDIA_ID", "path": "/uploads/..."}]
}]
Twitter/X Threads
For longer content on X, create a thread:
"value": [
{"content": "Tweet 1/3: Introduction to the topic...", "image": []},
{"content": "Tweet 2/3: The main point explained...", "image": []},
{"content": "Tweet 3/3: Conclusion and call to action.", "image": []}
]
Managing Posts
Delete Post
curl -s -b /tmp/postiz-cookies.txt -X DELETE \
'https://postiz.home.mykuhlmann.com/api/posts/POST_ID'
Update Schedule
curl -s -b /tmp/postiz-cookies.txt -X PUT \
'https://postiz.home.mykuhlmann.com/api/posts/POST_ID/date' \
-H 'Content-Type: application/json' \
-d '{"date": "2026-02-06T10:00:00Z"}'
Best Practices
Avoid Duplicates
- Always query existing posts before creating new ones
- Use unique identifiers in content (dates, specific references)
- Check both QUEUE and PUBLISHED states
Scheduling
- Space posts at least 2-4 hours apart per platform
- Best times: 9 AM, 12 PM, 5 PM (audience timezone)
- Avoid posting same content to all platforms simultaneously
Content Adaptation
Don't just truncate! Rewrite for each platform:
- X: Hook + key insight + CTA
- LinkedIn: Context + value + engagement question
- Bluesky: Casual tech-friendly tone
Helper Script
Use scripts/post.py for easier posting with automatic character validation:
# Single platform
~/.local/bin/uv run ~/clawd/skills/postiz/scripts/post.py \
--platform x \
--content "Your tweet here" \
--schedule "2026-02-05T15:00:00Z"
# Multi-platform with different content
~/.local/bin/uv run ~/clawd/skills/postiz/scripts/post.py \
--x "Short X version" \
--linkedin "Longer LinkedIn version with more detail" \
--bluesky "Bluesky version" \
--schedule "2026-02-05T15:00:00Z"
Web UI
Dashboard: https://postiz.home.mykuhlmann.com
- Visual calendar view
- Drag-and-drop scheduling
- Analytics and engagement stats
Troubleshooting
401 Unauthorized
Re-run the login curl command to refresh cookie.
Post Not Publishing
- Check state is
QUEUEnotDRAFT - Verify date is in the future
- Check integration is still connected in UI
Duplicate Posts
Always check existing posts before creating. The API doesn't deduplicate automatically.
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…