ClawHub

Postiz Extended

Schedule and manage social media posts via Postiz API (self-hosted or cloud). Direct API integration — no n8n dependency. Supports X/Twitter, LinkedIn, Bluesky with platform-specific character limits. Includes deduplication, scheduling, media upload, and thread creation. WHAT IT CAN DO: - Schedule posts to 28+ channels (X, LinkedIn, Bluesky, Reddit, Instagram, Facebook, Threads, YouTube, TikTok, Pinterest, Mastodon, and more) - Multi-platform posting in a single API call with platform-adapted content - X/Twitter thread creation for longer content - Media upload (file and URL) - Find next available posting slot per channel - List, query, update, and delete scheduled posts - Deduplication workflow (check existing before posting) - Platform-specific character limits and content tone guidance - Post state management (QUEUE, PUBLISHED, ERROR, DRAFT) - Helper script for quick posting with auto-validation USE WHEN: scheduling social media posts, creating multi-platform content, managing a posting calendar, uploading media for social posts, checking post status, creating X/Twitter threads, or automating social media workflows.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.6k · 0 current installs · 0 all-time installs
by@coolmanns
fork of @nevo-david/postiz
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description claims support for 28+ channels, but the included runnable code (post.py and check_duplicates.py) only implements workflow and explicit platform configuration for X/Twitter, LinkedIn, and Bluesky. That could be a marketing/packaging discrepancy (the Postiz server might support more channels), but the bundled client only visibly supports three platforms — so the capability claim is overstated relative to the shipped code.
!
Instruction Scope
SKILL.md instructs the agent/user to export POSTIZ_URL, POSTIZ_EMAIL, POSTIZ_PASSWORD and integration IDs and to save cookies to /tmp/postiz-cookies.txt; the included scripts read/write that cookie file and use those env vars. The registry metadata, however, declared no required env vars/credentials — an inconsistency. The instructions do not reference unrelated system paths or external endpoints beyond the configured POSTIZ_URL, but they persist cookies in /tmp (world-writable area) which is worth noting.
Install Mechanism
No install spec; the skill is instruction-plus-scripts only. There is no download-from-URL or package install. Risk from installation is low, but the presence of executable Python scripts means the agent or user will execute code bundled with the skill.
!
Credentials
The skill requires a Postiz username/password and integration IDs in SKILL.md and in the scripts — these are reasonable for interacting with a self-hosted Postiz API. However the registry metadata lists no required environment variables or primary credential, which is inconsistent and may mislead users about what secrets are needed. The scripts persist authentication cookies to /tmp, which could be abused if an attacker can read that file.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configs. It does persist session cookies to /tmp/postiz-cookies.txt and will reuse them across runs — a limited persistence scope that you should be aware of but not a platform-privilege escalation.
What to consider before installing
What to check before installing or running this skill: - Provenance: the skill source/homepage is unknown. Prefer code from a known repo or vendor. Ask the publisher for a canonical source or verify the package on a trusted registry. - Metadata mismatch: the registry metadata claims no required env vars, but SKILL.md and the scripts require POSTIZ_URL, POSTIZ_EMAIL, POSTIZ_PASSWORD and integration IDs. Treat that as a red flag and do not expose real credentials until you verify origin. - Least privilege: if possible, use an integration-specific API token (Postiz may offer tokens) instead of your full account password. If only password auth is available, create a dedicated account with minimal rights. - Cookie handling: the scripts save session cookies to /tmp/postiz-cookies.txt. /tmp is shared and files can be accessible to other local users; consider changing the cookie path to a restricted location (e.g., in your user home with restrictive permissions) or delete the cookie file after use. - Feature claims: the description promises 28+ channels but bundled code explicitly handles 3 platforms. If you need broader channel support, confirm whether the Postiz instance (server) provides it and whether the skill will correctly map arbitrary integration IDs, or update the scripts to handle additional types. - Execution policy: because the repo includes executable Python scripts, prefer to run them manually in an isolated environment first (local VM/container) rather than granting the agent autonomous invocation with your real credentials. You can also audit the scripts line-by-line (they are short) or run them with a test Postiz instance. - If you proceed: restrict credentials, test with non-sensitive/test accounts, inspect network traffic (or run against a staging Postiz) to confirm no unexpected endpoints are called, and remove stored cookies/credentials after testing. If you want, I can: (1) summarize exactly where in the code credentials are used and where the cookie file is written, (2) suggest minimal code changes to reduce risk (save cookies under user-only permissions, use token auth), or (3) produce a checklist to verify Postiz instance endpoints before handing over credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.3.0
Download zip
blueskyvk97248a7e9z68d57c1m7ezvhn580kmjxlatestvk970gsk0brv1dn42hxqbe5t27x80mq3wlinkedinvk97248a7e9z68d57c1m7ezvhn580kmjxpostizvk97cmrme1mbwzwaw68jk03m3ks80kwfmschedulingvk97cmrme1mbwzwaw68jk03m3ks80kwfmsocial-mediavk97cmrme1mbwzwaw68jk03m3ks80kwfmxvk97248a7e9z68d57c1m7ezvhn580kmjx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Postiz Social Media Scheduler

Direct API integration for social media posting. No n8n workflows needed.

Setup

Required Environment Variables

# Core configuration
export POSTIZ_URL="https://your-postiz-instance.com"
export POSTIZ_EMAIL="your@email.com"
export POSTIZ_PASSWORD="your-password"

# Integration IDs (get from Postiz dashboard → Integrations)
export POSTIZ_X_ID="your-x-integration-id"
export POSTIZ_LINKEDIN_ID="your-linkedin-integration-id"
export POSTIZ_BLUESKY_ID="your-bluesky-integration-id"

To find your integration IDs:

  1. Go to your Postiz dashboard
  2. Navigate to Integrations or Channels
  3. Each connected account shows an ID (or use the API: GET /api/integrations/list)

Platform Limits

PlatformCharacter LimitNotes
X/Twitter280Links count as 23 chars (t.co shortening)
LinkedIn3,000First 140 chars show in preview
Bluesky300Growing tech/developer audience

Platform Content Guidelines

X/Twitter (280 chars)

  • Short, punchy content
  • 1-2 hashtags max
  • Threads for longer content (multiple tweets)

LinkedIn (3,000 chars)

  • Professional tone
  • Can be longer-form
  • Hashtags at end (3-5 recommended)
  • First 140 chars show in preview — make them count!

Bluesky (300 chars)

  • Similar to X but slightly more room
  • No official hashtag support (use sparingly)
  • Growing tech/developer audience

Authentication

# Login and save cookie (required before any API call)
curl -s -c /tmp/postiz-cookies.txt \
  "$POSTIZ_URL/api/auth/login" \
  -H 'Content-Type: application/json' \
  -d "{\"email\":\"$POSTIZ_EMAIL\",\"password\":\"$POSTIZ_PASSWORD\",\"provider\":\"LOCAL\"}"

Cookie expires periodically. Re-run login if you get 401 errors.

Find Next Available Slot

curl -s -b /tmp/postiz-cookies.txt \
  "$POSTIZ_URL/api/posts/find-slot/$POSTIZ_X_ID"

Returns the next open time slot for a given channel. Useful for auto-scheduling without conflicts.

Upload Media from URL

curl -s -b /tmp/postiz-cookies.txt \
  "$POSTIZ_URL/api/media/upload-from-url" \
  -H 'Content-Type: application/json' \
  -d '{"url": "https://example.com/image.png"}'

Creating Posts

Schedule a Post (Single Platform)

curl -s -b /tmp/postiz-cookies.txt \
  "$POSTIZ_URL/api/posts" \
  -H 'Content-Type: application/json' \
  -d "{
    \"type\": \"schedule\",
    \"date\": \"2026-02-05T15:00:00Z\",
    \"posts\": [{
      \"integration\": {\"id\": \"$POSTIZ_X_ID\"},
      \"value\": [{\"content\": \"Your tweet here (max 280 chars)\", \"image\": []}],
      \"settings\": {\"__type\": \"x\"}
    }]
  }"

Multi-Platform Post (Adapted Content)

curl -s -b /tmp/postiz-cookies.txt \
  "$POSTIZ_URL/api/posts" \
  -H 'Content-Type: application/json' \
  -d "{
    \"type\": \"schedule\",
    \"date\": \"2026-02-05T15:00:00Z\",
    \"posts\": [
      {
        \"integration\": {\"id\": \"$POSTIZ_X_ID\"},
        \"value\": [{\"content\": \"Short X version (280 chars max)\", \"image\": []}],
        \"settings\": {\"__type\": \"x\"}
      },
      {
        \"integration\": {\"id\": \"$POSTIZ_LINKEDIN_ID\"},
        \"value\": [{\"content\": \"Longer LinkedIn version with more context and professional tone. Can be up to 3000 characters.\", \"image\": []}],
        \"settings\": {\"__type\": \"linkedin\"}
      },
      {
        \"integration\": {\"id\": \"$POSTIZ_BLUESKY_ID\"},
        \"value\": [{\"content\": \"Bluesky version (300 chars max)\", \"image\": []}],
        \"settings\": {\"__type\": \"bluesky\"}
      }
    ]
  }"

Post Types

  • schedule — Auto-publish at specified date/time
  • draft — Save for review (won't auto-publish)
  • now — Publish immediately

Listing & Querying Posts

Get Posts by Date Range (Required!)

curl -s -b /tmp/postiz-cookies.txt \
  "$POSTIZ_URL/api/posts?startDate=2026-02-01T00:00:00Z&endDate=2026-02-08T00:00:00Z" \
  | jq '.posts[] | {id, state, publishDate, platform: .integration.providerIdentifier, content: .content[0:60]}'

Check for Duplicates Before Posting

# Get recent posts and check content similarity
curl -s -b /tmp/postiz-cookies.txt \
  "$POSTIZ_URL/api/posts?startDate=2026-02-01T00:00:00Z&endDate=2026-02-08T00:00:00Z" \
  | jq -r '.posts[] | "\(.integration.providerIdentifier): \(.content[0:80])"'

Post States

StateDescription
QUEUEScheduled, waiting to publish
PUBLISHEDSuccessfully posted
ERRORFailed to publish
DRAFTSaved but not scheduled

Media Upload

Upload Image

# Upload returns {id, path}
curl -s -b /tmp/postiz-cookies.txt \
  "$POSTIZ_URL/api/media/upload-simple" \
  -F 'file=@/path/to/image.png'

Use in Post

"value": [{
  "content": "Post with image",
  "image": [{"id": "MEDIA_ID", "path": "/uploads/..."}]
}]

Twitter/X Threads

For longer content on X, create a thread:

"value": [
  {"content": "Tweet 1/3: Introduction to the topic...", "image": []},
  {"content": "Tweet 2/3: The main point explained...", "image": []},
  {"content": "Tweet 3/3: Conclusion and call to action.", "image": []}
]

Managing Posts

Delete Post

curl -s -b /tmp/postiz-cookies.txt -X DELETE \
  "$POSTIZ_URL/api/posts/POST_ID"

Update Schedule

curl -s -b /tmp/postiz-cookies.txt -X PUT \
  "$POSTIZ_URL/api/posts/POST_ID/date" \
  -H 'Content-Type: application/json' \
  -d '{"date": "2026-02-06T10:00:00Z"}'

Best Practices

Avoid Duplicates

  1. Always query existing posts before creating new ones
  2. Use unique identifiers in content (dates, specific references)
  3. Check both QUEUE and PUBLISHED states

Scheduling

  • Space posts at least 2-4 hours apart per platform
  • Best times: 9 AM, 12 PM, 5 PM (audience timezone)
  • Avoid posting same content to all platforms simultaneously

Content Adaptation

Don't just truncate! Rewrite for each platform:

  • X: Hook + key insight + CTA
  • LinkedIn: Context + value + engagement question
  • Bluesky: Casual tech-friendly tone

Helper Scripts

Post to Multiple Platforms

# Single platform
uv run scripts/post.py \
  --platform x \
  --content "Your tweet here" \
  --schedule "2026-02-05T15:00:00Z"

# Multi-platform with different content
uv run scripts/post.py \
  --x "Short X version" \
  --linkedin "Longer LinkedIn version with more detail" \
  --bluesky "Bluesky version" \
  --schedule "2026-02-05T15:00:00Z"

# Post immediately
uv run scripts/post.py \
  --platform x \
  --content "Posting now!" \
  --now

# Validate without posting
uv run scripts/post.py \
  --x "Test content" \
  --validate

Check for Duplicates

# Check last 30 days
uv run scripts/check_duplicates.py

# Check last 7 days
uv run scripts/check_duplicates.py --days 7

# Check if specific content would be duplicate
uv run scripts/check_duplicates.py --content "Your proposed post content"

Troubleshooting

401 Unauthorized

Re-run the login curl command to refresh cookie.

Post Not Publishing

  1. Check state is QUEUE not DRAFT
  2. Verify date is in the future
  3. Check integration is still connected in UI

Duplicate Posts

Always check existing posts before creating. The API doesn't deduplicate automatically.

Missing Environment Variables

Scripts will tell you which env vars are missing. Set them in your shell or .env file:

export POSTIZ_URL="https://your-postiz.example.com"
export POSTIZ_EMAIL="your@email.com"
export POSTIZ_PASSWORD="your-password"
export POSTIZ_X_ID="your-integration-id"

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…