ClawHub

Postiz Litiao

v1.0.0

Postiz is a tool to schedule social media and chat posts to 28+ channels X, LinkedIn, LinkedIn Page, Reddit, Instagram, Facebook Page, Threads, YouTube, Goog...

0· 95·1 current·1 all-time
by@litiao1224
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, the CLI commands in SKILL.md, and required env vars (POSTIZ_API_KEY, POSTIZ_API_URL) align with a social-media scheduling CLI that calls a Postiz API. No unrelated credentials or exotic binaries are requested.
Instruction Scope
SKILL.md instructs the agent to install/use the postiz CLI, set POSTIZ_API_KEY/POSTIZ_API_URL, run integration discovery, upload media, and create posts. These actions stay within the stated domain. Note: the doc suggests exporting the API key to shell profiles and echoing it for verification — a common but persistent practice that can expose keys in shell history or profile files if users are not careful.
Install Mechanism
There is no automatic install spec embedded in the skill (instruction-only). The docs recommend installing via npm/pnpm and point to npmjs/github—standard package sources. No opaque downloads, extract steps, or unknown host URLs are present in the install guidance.
Credentials
The skill only requires POSTIZ_API_KEY and an optional POSTIZ_API_URL, which are proportional to a remote-API CLI. No additional secrets, cloud credentials, or unrelated environment variables are requested.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide config modifications. It suggests (in docs) adding the API key to shell profiles for convenience — a user action, not an automatic privilege escalation by the skill itself.
Assessment
This package appears to be a legitimate CLI wrapper for the Postiz API and only needs the Postiz API key and optionally a custom API URL. Before installing or adding the API key to your shell profile: (1) treat POSTIZ_API_KEY like any secret — avoid committing it to repos or exposing it in shared machines, (2) prefer using environment-specific secret storage (e.g., CI secrets, OS credential store) instead of adding to ~/.bashrc if you care about leakage, and (3) verify the upstream npm/github project (links in SKILL.md) to confirm you trust the publisher before running global npm installs or linking binaries.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ae6bsep4gk53ddteddea11832yv0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌎 Clawdis
EnvPOSTIZ_API_URL, POSTIZ_API_KEY

Comments