Postproxy
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a coherent PostProxy API helper, but it can use a bearer API key to publish or delete social posts across multiple platforms without explicit confirmation safeguards.
Install only if you trust PostProxy and are comfortable letting the agent use a PostProxy API key. Use a limited/revocable key, ask the agent to create drafts or preview content first, confirm exact profiles and post IDs before publishing or deleting, and provide only the specific media file paths you intend to upload.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misinterprets a request or acts too broadly, it could publish unwanted public content or delete existing posts.
The skill gives Bash-based API instructions for publishing and deleting social media posts, but the artifact does not add confirmation, preview, draft-first, or scope limits for these high-impact actions.
allowed-tools: Bash ... curl -X POST "https://api.postproxy.dev/api/posts/{id}/publish" ... curl -X DELETE "https://api.postproxy.dev/api/posts/{id}"Require explicit user confirmation before create/publish/delete actions, preview the exact content and target profiles, default to drafts when possible, and verify post IDs before deletion.
Anyone or any agent action with access to this environment variable may be able to act on connected PostProxy social accounts.
The skill requires a bearer token for PostProxy. This is expected for the service, but it grants account authority and is not declared in the registry credential metadata.
API key must be set in environment variable `POSTPROXY_API_KEY` ... -H "Authorization: Bearer $POSTPROXY_API_KEY"
Use a dedicated, revocable PostProxy API key with the minimum available permissions, and rotate it if it may have been exposed.
A single error could create or schedule the wrong content on several social accounts at once.
The skill explicitly supports posting across many platforms, so one mistaken request can propagate to multiple public channels.
manage social media posts across multiple platforms (Facebook, Instagram, TikTok, LinkedIn, YouTube, X/Twitter, Threads)
Specify exact target profiles for every action and ask the agent to confirm the final platform list before sending the API request.
A private or incorrect local file path could be uploaded to PostProxy and potentially posted publicly.
The skill can upload user-selected local media files to the PostProxy API. This is purpose-aligned, but users should be aware that local files named in requests leave the local environment.
Use multipart form data to upload local files: ... -F "media[]=@/path/to/image.jpg"
Use explicit file paths, avoid broad/globbed paths, and have the agent confirm the selected media files before upload.