Postiz Litiao

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Postiz social-posting helper, but it needs review because it can let an agent publish, upload, or delete content on live connected accounts with weak safety guidance.

Install only if you are comfortable giving an agent access to your Postiz-connected social accounts. Use draft or test integrations first, require explicit confirmation before posting, scheduling, batch runs, uploads, or deletion, and verify account IDs, audience/privacy settings, content, and dates. Store the API key in a safer secret store or tightly controlled local environment file rather than shell profiles, and avoid printing it in terminals or logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (13)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation instructs users to append `POSTIZ_API_KEY` directly into shell startup files like `~/.bashrc`, which stores the secret in plaintext and causes it to be loaded into every shell session. This increases the chance of accidental disclosure through backups, screen sharing, local compromise, or shell/profile inspection, especially because no warning or safer alternative is provided.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The guide tells users to verify the secret with `echo $POSTIZ_API_KEY`, which prints the full API key to the terminal. That can expose the credential via terminal logging, scrollback history capture, shoulder surfing, recordings, or shared-session tooling.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This section again recommends persisting the API key in `~/.bashrc` or `~/.zshrc`, reinforcing insecure plaintext secret storage as the normal workflow. Repetition in a setup guide makes unsafe handling more likely to be adopted broadly by users, increasing credential exposure risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation explicitly promotes a fully automated agent workflow that enumerates available integration tools and invokes them in a loop, then proceeds to create a post, without any guardrails around external side effects, consent, or confirmation. In an agent setting, this increases the risk of unintended data transmission to third-party platforms and accidental actions against live accounts, especially because tool outputs and requirements are discovered dynamically.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The example script exports a live API key, fetches live data from an external integration, and creates a real post, but it does not include credential-handling guidance, redaction advice, or any warning that the action is externally visible and not easily reversible. This is dangerous because users or agents may copy-paste the script into production contexts, exposing secrets in shell history or logs and posting unintentionally to public channels.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation provides multiple ready-to-run commands that perform real posting actions to external platforms, including public-facing destinations such as Reddit, YouTube, X, LinkedIn, Instagram, and TikTok, without a prominent warning that these commands may immediately publish content to live accounts. In an agent skill context, users or downstream automation may copy these examples verbatim, increasing the risk of accidental public posting, reputational harm, or unintended disclosure from connected accounts.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The quick-start documents a destructive `postiz posts:delete` command with no warning, dry-run guidance, or recommendation to verify the post ID before execution. In an agent or copy-paste workflow, this increases the chance of accidental deletion of social media content, especially because the command is presented as a normal basic operation without guardrails.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The API key setup instructions tell users to export and persist a sensitive credential but do not warn about secret handling, shell history, shared machines, or risks of checking such values into dotfiles or screenshots. This is a documentation security weakness rather than an exploit by itself, but it can lead to credential exposure and unauthorized API use.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly documents `postiz posts:delete <post-id>` without any warning that the action is destructive and may permanently remove scheduled or published content. In an agent skill context, concise command examples are often copied or invoked directly, so omitting a confirmation/warning increases the chance of accidental deletion of social media assets across connected accounts.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation shows upload commands and returned CDN URLs but does not clearly warn that local files are transmitted to a remote Postiz/CDN service and become remotely hosted artifacts. In a CLI context, users may assume a local processing step; this can lead to unintended disclosure of sensitive media or documents, especially because the examples normalize immediate reuse of the returned URL in later commands.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The instructions tell users to export an API key but do not advise protecting the credential from shell history, shared terminals, CI logs, screenshots, or pasted transcripts. While this is common documentation shorthand, it still increases the chance of accidental credential exposure and subsequent unauthorized API use.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This guide contains numerous copy-pastable commands that create, schedule, and publish posts to external social platforms, but it does not warn users that these commands can trigger real network actions against live accounts when valid credentials and integration IDs are present. In an agent skill context, this is more dangerous because an automated agent may execute example commands as operational instructions, causing unintended posting, scheduling, or multi-platform dissemination without explicit user confirmation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The examples prominently use `postiz posts:create` with live integrations and default `type: "now"`, which can cause an agent or user to immediately publish content to connected social accounts. In an AI-agent context, examples are often treated as recommended defaults, so omitting an explicit warning or safer default like draft mode increases the chance of unintended public posting, spam, or reputational harm.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal