Postiz Extended
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Postiz session can control connected social channels, so anyone or any process with access to the saved cookie may be able to manage posts.
The helper logs in with a Postiz email/password and persists an authenticated cookie, even though the registry metadata declares no required env vars or primary credential.
COOKIE_FILE = "/tmp/postiz-cookies.txt"; CREDENTIALS = {"email": os.environ.get("POSTIZ_EMAIL", ""), "password": os.environ.get("POSTIZ_PASSWORD", ""), "provider": "LOCAL"}Declare the credential and env-var requirements, use least-privilege Postiz accounts or API tokens where possible, store cookies in a user-private config directory with restrictive permissions, and document cleanup.
If invoked with the wrong content, platform, or date, the skill could publish immediately or change scheduled social posts.
Direct publishing and deletion are expected for a social scheduler, but they are high-impact actions against public or business social accounts.
- List, query, update, and delete scheduled posts ... Post Types ... `now` — Publish immediately
Review the exact content, target channels, schedule time, and post type before invoking; prefer drafts for first runs or sensitive accounts.
Users may not realize that running the helper can involve local Python execution and dependency resolution.
The helper script expects uv-style execution and a Python dependency, while the install metadata says there is no install spec.
Usage: uv run post.py ... # /// script ... dependencies = ["requests"]
Document runtime requirements in metadata and, if possible, pin dependencies or provide a reproducible install path.