Postproxy
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward PostProxy API reference, but it can use your API key to publish, schedule, upload media for, or delete social posts, so actions should be reviewed before use.
Install only if you are comfortable letting the agent use a PostProxy API key for your connected social accounts. Review and explicitly approve the post text, target profiles, media files, schedule time, and any delete or publish action before it is run.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong content, profile, post ID, or file path, the agent could create public posts, upload unintended media, or delete posts on connected social accounts.
The skill documents Bash/curl commands that can publish, schedule, delete, and upload local media to social platforms through PostProxy. This is central to the skill's purpose, but these actions can affect public accounts.
allowed-tools: Bash ... curl -X POST "https://api.postproxy.dev/api/posts" ... curl -X DELETE "https://api.postproxy.dev/api/posts/{id}" ... -F "media[]=@/path/to/image.jpg"Before allowing create, publish, schedule, upload, or delete actions, verify the exact content, target profiles, media paths, and post IDs; prefer draft creation when uncertain.
Anyone or any agent process with this environment variable could use the PostProxy authority available to that API key.
The skill uses a bearer API key to act on the user's PostProxy account. This is expected for the integration, but the registry requirements declare no required environment variables or primary credential.
API key must be set in environment variable `POSTPROXY_API_KEY` ... -H "Authorization: Bearer $POSTPROXY_API_KEY"
Use a dedicated PostProxy API key with the minimum needed permissions if possible, keep it out of logs and shared shells, and revoke or rotate it when no longer needed.