ClawHub

Openclaw Skill

v1.7.0

Schedule and manage social media posts across TikTok, Instagram, Facebook, X (Twitter), YouTube, LinkedIn, Threads, Bluesky, Pinterest, Telegram, and Google...

7· 2k·3 current·5 all-time
by@peturgeorgievv
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Posts externally
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (schedule/manage social posts) match the required credential (POSTFAST_API_KEY) and the documented endpoints. All referenced endpoints, headers, and operations (list accounts, get signed URLs, upload media, create posts, analytics) are coherent for a SaaS social-posting API.
Instruction Scope
SKILL.md contains concrete curl examples and a 3-step upload flow that require reading local media files (curl PUT --data-binary @/path/to/file). That is expected for uploading media, but it means the agent will need filesystem access to the specified files when invoked. The instructions do not request unrelated files, credentials, or system state beyond the POSTFAST_API_KEY. Minor doc inconsistencies exist (e.g., one example note limits supported platforms for analytics to a subset), but nothing that suggests scope creep or hidden exfiltration.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing is downloaded or written to disk by an install step, which is low risk and consistent with the skill's nature.
Credentials
Only a single environment variable (POSTFAST_API_KEY) is required and declared as the primary credential. That is proportionate and expected for an API-driven SaaS integration. No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false, user-invocable true, and autonomous invocation is allowed (platform default). The skill does not request permanent system presence or modify other skills. Nothing here elevates privilege beyond normal skill behavior.
Assessment
This skill is coherent with a PostFast API integration, but before installing: 1) Only provide a workspace API key you control — prefer a least-privilege or test key and rotate it if exposed. 2) The upload flow requires the agent to read local files you point it at (e.g., curl --data-binary @/path/to/file). Only allow the agent access to directories you trust. 3) Verify the vendor (https://postfa.st) and the API key generation page before entering secrets. 4) Be mindful the connect-link returns a JWT in a URL — treat it as sensitive and avoid pasting it publicly. 5) If you want extra safety, test with a throwaway workspace/account and confirm the behavior and rate limits before using production credentials.

Like a lobster shell, security has layers — review code before you run it.

analyticsvk9749bwkkphfjqrswv4vafk5ah83t1qrapivk975vpt7xrjdhehcdyz6gvnw4d84nczagoogle-business-profilevk97c2ptcwdjr1mdpz0azakxrz584cdsfinstagramvk97eccxadssxwvhtsnw1tvxdb5824pwflatestvk975vpt7xrjdhehcdyz6gvnw4d84nczalinkedinvk97eccxadssxwvhtsnw1tvxdb5824pwfpinterestvk97eccxadssxwvhtsnw1tvxdb5824pwfpostfastvk975vpt7xrjdhehcdyz6gvnw4d84nczaschedulingvk975vpt7xrjdhehcdyz6gvnw4d84nczasocial-mediavk975vpt7xrjdhehcdyz6gvnw4d84nczatelegramvk97eccxadssxwvhtsnw1tvxdb5824pwftiktokvk97eccxadssxwvhtsnw1tvxdb5824pwfyoutubevk97eccxadssxwvhtsnw1tvxdb5824pwf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
EnvPOSTFAST_API_KEY
Primary envPOSTFAST_API_KEY

Comments