Social Media Assistant (via post-bridge.com)
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is clearly meant for social media automation, but it grants an agent authority to post, schedule, update, and delete public social content without clear approval boundaries.
Install only if you are comfortable giving the agent controlled access to your Post Bridge account. Before use, set strict rules that it must show the caption, media, target accounts, timing, and platform settings and get your explicit approval before posting, scheduling, editing, or deleting anything.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
No VirusTotal findings for this skill version.
- Malicious
- 0
- Suspicious
- 0
- Harmless
- 0
- Undetected
- 64
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could publish or schedule content on connected social accounts as part of its workflow.
The skill explicitly frames public social media management as autonomous, which is high-impact because posts can affect public accounts and reputation.
Autonomously manage social media posting via [Post Bridge](https://post-bridge.com) API.
Require explicit user confirmation before publishing, scheduling, updating, or deleting posts; consider using draft mode by default.
A mistaken or over-eager agent action could post content immediately to one or more connected platforms.
The documented workflow supports immediate public posting, but the artifact does not include safeguards such as mandatory draft creation, preview, account allowlisting, or user approval before instant posting.
POST /v1/posts ... "scheduled_at": "2026-01-01T14:00:00Z", // omit for instant post
Add clear operating rules: never post instantly without a final user approval, show the target accounts and caption/media first, and prefer scheduled or draft posts.
The agent could modify or remove scheduled social posts, potentially disrupting a campaign or publishing plan.
The skill documents mutation and deletion of scheduled posts without stating when the agent must ask the user or how changes can be reviewed and reversed.
PATCH /v1/posts/<post_id> ... DELETE /v1/posts/<post_id>
Require user confirmation for every update or deletion and log the original post details before changing them.
Anyone or any agent process with access to this key may be able to act on connected social media accounts through Post Bridge.
The API key is expected for Post Bridge, but it represents delegated authority over connected social accounts and should be treated as a sensitive credential.
Connect your social accounts (TikTok, Instagram, YouTube, Twitter, etc.) ... Authorization: Bearer <POST_BRIDGE_API_KEY>
Use the least-privileged Post Bridge API key available, limit connected accounts where possible, keep the key out of shared workspaces, and rotate it if exposed.