Mixpost
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mixpost Version: 1.0.0 The skill bundle provides instructions and `curl` examples for interacting with the Mixpost API. All API calls are directed to the user-configured `$MIXPOST_URL` and use provided environment variables (`MIXPOST_ACCESS_TOKEN`, `MIXPOST_WORKSPACE_UUID`) for authentication. While the skill includes a capability to upload local files (e.g., `file=@/path/to/your/file.png`), this is explicitly for uploading media to the Mixpost service, which aligns with its stated purpose. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the agent within the `SKILL.md` content.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could help delete media or change workspace resources if the user asks it to use these API examples.
The skill documents authenticated API calls that can delete Mixpost media. This is aligned with social media management, but it is a high-impact action if run against the wrong workspace or items.
### Delete media ```bash curl -X DELETE "$MIXPOST_URL/api/$MIXPOST_WORKSPACE_UUID/media"
Require explicit confirmation before delete, update, schedule, or publish actions, and double-check workspace UUIDs and item IDs before running commands.
Anyone or any agent process with this token could potentially access or modify Mixpost workspace content according to the token's permissions.
The skill requires a bearer access token for Mixpost API calls. This is expected for the integration, but the token may grant read/write access to a social media management workspace.
export MIXPOST_ACCESS_TOKEN="your-access-token"
Use the least-privileged token Mixpost supports, keep it out of logs and shared files, and revoke or rotate it when no longer needed.