Zernio API
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent documentation-only API reference, but using it with real credentials can connect social accounts, publish posts, and send webhook data.
This skill appears safe as a documentation-only API reference. Before installing or using it with real credentials, verify that you trust the Zernio source, keep API keys and OAuth connections tightly controlled, and require explicit approval before publishing, deleting, bulk-uploading, or configuring webhooks on live social accounts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the examples are run with a real API key, they can publish or change content on connected social accounts.
The skill documents API calls that can immediately publish, bulk-create, update, or delete posts. This is aligned with a social scheduling API, but these are high-impact actions if executed with real credentials.
`publishNow: true` // Publish immediately; endpoints include `POST /v1/posts/bulk-upload`, `PUT /v1/posts/{postId}`, `DELETE /v1/posts/{postId}`.Require explicit confirmation before posting, deleting, retrying, or bulk-uploading content, and verify the target accounts, platforms, and content before sending requests.
API keys, OAuth connections, app passwords, or bot admin access may allow Zernio to post through or manage connected social accounts.
The documentation covers OAuth, app-password, and Telegram admin-bot connection flows. These are expected for a cross-platform scheduler, but they delegate meaningful account or channel privileges.
`GET /v1/connect/{platform}` Start OAuth flow; `POST /v1/connect/bluesky/credentials`; `The Late bot must already be added as admin in your channel/group.`Use revocable credentials, verify the Telegram bot identity before granting admin rights, limit scopes where possible, and disconnect accounts or rotate keys when access is no longer needed.
A webhook receiver may see post contents, account status changes, failures, and supported direct-message events.
Webhook configuration can send post, account, and message-related events to a user-specified server. The docs include signature verification, so the flow is disclosed, but it can carry sensitive social/account data.
`url`: `https://your-server.com/webhooks/zernio`, `secret`: `your_webhook_secret`; event `message.received` = New DM/message received.
Use HTTPS webhook endpoints, keep webhook secrets private, verify signatures, and avoid sending message events to endpoints you do not control.
Users may need to verify the publisher before trusting the docs with real API keys or social account connections.
The registry metadata does not independently identify a source or homepage for a skill presented as an official API reference. There is no code or install payload, so this is a provenance note rather than a behavior concern.
Source: unknown; Homepage: none
Confirm the skill and API documentation through Zernio's official channels before using production credentials.