Publer

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill appears to do what it says, but it can immediately publish public social media posts using your Publer account, so review its use carefully.

Install only if you are comfortable letting the agent use your Publer workspace to upload media and publish posts. Before publishing, use --dry-run or another review step, verify the target account, caption, media IDs, schedule, and privacy setting, and protect the Publer API key.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

If invoked with valid credentials and account/media IDs, the agent can publish public social media content immediately, which may affect reputation or accounts.

Why it was flagged

When no schedule is supplied, the script sends the post to Publer's immediate publish endpoint, with public visibility as the default, and there is no confirmation gate in the provided artifacts.

Skill content

pp.add_argument("--privacy", default="PUBLIC_TO_EVERYONE") ... else:
        endpoint = f"{BASE}/posts/schedule/publish"

Recommendation

Require an explicit user confirmation or dry-run review before publishing, verify account ID/media/caption/privacy, and consider using scheduled or private visibility for review first.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone or any agent process with these environment variables can act through the configured Publer workspace within the key's permissions.

Why it was flagged

The script uses a Publer API key and workspace ID for all API calls; this is expected for the stated purpose but is a sensitive account authority.

Skill content

"Authorization": f"Bearer-API {key}",
        "Publer-Workspace-Id": ws

Recommendation

Store the API key securely, use the narrowest permissions Publer supports, rotate it if exposed, and avoid sharing the environment with unrelated skills.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Selected media files are uploaded to Publer and may become available for social posting.

Why it was flagged

The upload command reads user-supplied local files and sends them to the Publer API; this is purpose-aligned but is an external data transfer.

Skill content

with open(fp, "rb") as f:
            r = requests.post(f"{BASE}/media", headers=h,
                              files={"file": (filename, f, mime)},

Recommendation

Check file paths before upload and do not provide private or unintended files to the upload command.