Typefully
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Typefully social-posting skill, but it handles account API keys, can publish posts, and has an under-disclosed API endpoint override that could route the key and post data away from Typefully.
Use this skill only if you trust the bundled script and intend to let it manage Typefully/social media posts. Verify the source, keep TYPEFULLY_API_BASE unset unless you intentionally configured a trusted endpoint, and review the selected social set and post content before publishing or scheduling.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If TYPEFULLY_API_BASE is set incorrectly or maliciously in the environment, the user's Typefully API key and social-post content could be sent to a non-Typefully endpoint.
The CLI sends the Typefully bearer token to a base URL controlled by an environment variable that is not declared in the registry metadata or setup requirements.
const API_BASE = process.env.TYPEFULLY_API_BASE || 'https://api.typefully.com/v2'; ... 'Authorization': `Bearer ${apiKey}` ... fetch(`${API_BASE}${endpoint}`, options);Unset TYPEFULLY_API_BASE unless deliberately using a trusted test endpoint, and prefer validating or pinning the API host. The skill metadata should declare its API key and endpoint-related environment variables.
The skill can publish or schedule public social media content on connected accounts when used for those tasks.
The documented workflow includes immediate publishing through the Typefully CLI.
"Post this now" | `drafts:create ... --schedule now` or `drafts:publish <draft_id> --use-default`
Before publishing, confirm the final text, media, platform, and social set/account, especially when a default social set is configured.
It is harder for a user to verify that the bundled script matches the intended upstream Typefully skill.
The registry metadata does not provide a verified source or homepage, even though the skill itself references a GitHub source.
Source: unknown Homepage: none
Compare the included files against the referenced upstream repository before trusting the skill with a Typefully API key.