Postiz Extended
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Postiz social-posting helper, but it under-declares the account credentials and session access needed to publish or manage social posts.
Install only if you are comfortable giving this skill access to your Postiz account and connected social channels. Use HTTPS, least-privilege credentials, verify posts before publishing, consider draft mode first, and remove or protect /tmp/postiz-cookies.txt after use.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Postiz session can control connected social channels, so anyone or any process with access to the saved cookie may be able to manage posts.
The helper logs in with a Postiz email/password and persists an authenticated cookie, even though the registry metadata declares no required env vars or primary credential.
COOKIE_FILE = "/tmp/postiz-cookies.txt"; CREDENTIALS = {"email": os.environ.get("POSTIZ_EMAIL", ""), "password": os.environ.get("POSTIZ_PASSWORD", ""), "provider": "LOCAL"}Declare the credential and env-var requirements, use least-privilege Postiz accounts or API tokens where possible, store cookies in a user-private config directory with restrictive permissions, and document cleanup.
If invoked with the wrong content, platform, or date, the skill could publish immediately or change scheduled social posts.
Direct publishing and deletion are expected for a social scheduler, but they are high-impact actions against public or business social accounts.
- List, query, update, and delete scheduled posts ... Post Types ... `now` — Publish immediately
Review the exact content, target channels, schedule time, and post type before invoking; prefer drafts for first runs or sensitive accounts.
Users may not realize that running the helper can involve local Python execution and dependency resolution.
The helper script expects uv-style execution and a Python dependency, while the install metadata says there is no install spec.
Usage: uv run post.py ... # /// script ... dependencies = ["requests"]
Document runtime requirements in metadata and, if possible, pin dependencies or provide a reproducible install path.