Postiz Extended
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill could authenticate to and control someone else’s Postiz-connected social accounts, including publishing or managing posts.
The helper script embeds a real-looking Postiz host, email, and password instead of requiring a user-provided credential, granting account-level authority to the configured Postiz/social integrations.
POSTIZ_URL = "https://postiz.home.mykuhlmann.com" ... CREDENTIALS = {"email": "sascha@mykuhlmann.com", "password": "[hardcoded]", "provider": "LOCAL"}Do not use the embedded credentials. Rotate/remove the exposed password, require user-supplied secrets through environment variables or OAuth, and clearly declare the credential requirement in metadata.
A mistaken or unauthorized invocation could schedule, immediately publish, alter, or remove social posts.
Publishing, updating, and deleting social posts are expected for this skill, but they are high-impact actions because they affect public or business social media accounts.
- List, query, update, and delete scheduled posts ... Post Types ... `now` — Publish immediately
Require explicit user confirmation before publishing, deleting, or updating posts, especially when using `now` or bulk/multi-platform actions.
A user may believe they are configuring their own Postiz account while the skill is actually prepared to operate against predefined accounts.
The description frames the skill as a general self-hosted/cloud Postiz integration, but the instructions point to specific named accounts and handles.
Schedule and manage social media posts via Postiz API (self-hosted or cloud) ... Handle ... @CoolmannSa ... kuhlmannsascha ... coolmanns.bsky.social
Make the target Postiz instance and social accounts configurable, remove account-specific defaults, and clearly disclose any fixed account binding.
Running the helper may install or use a dependency that was not declared in the skill metadata.
The helper script relies on an inline, unpinned Python dependency when run with uv; this is common for small scripts but is not reflected in the registry requirements.
# dependencies = ["requests"]
Pin dependencies and declare runtime requirements so users can review what will be installed or used.