Openclaw Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only PostFast skill matches its social scheduling purpose, but it can publish, delete, cross-post, and upload media using your PostFast API key.
Install only if you trust PostFast with the connected social accounts and uploaded media. Before using it, protect your POSTFAST_API_KEY, edit example payloads instead of posting them unchanged, and confirm every public post, deletion, account ID, schedule time, and media file path.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unauthorized request could publish, schedule, or delete social media content on connected accounts.
The documented API can create scheduled public content and delete scheduled posts. This is central to the skill's purpose, but it is high-impact account mutation.
POST /social-posts ... Create/schedule one or more posts. Up to 15 posts per request ... DELETE /social-posts/:id ... Delete a scheduled post by ID.
Review the exact content, account IDs, schedule time, and delete target before allowing create or delete calls; use drafts or pending approval when uncertain.
Anyone with the API key may be able to act through the PostFast workspace according to that key's permissions.
The skill relies on a PostFast workspace API key to access connected social accounts and perform posting actions. This is expected for the integration, but the key is sensitive.
export POSTFAST_API_KEY="your-api-key" ... Auth header: `pf-api-key: $POSTFAST_API_KEY`
Store the key securely, avoid sharing logs or shell history containing it, and rotate the key if it may have been exposed.
Images, videos, PDFs, or documents selected for posting will be uploaded to external storage and may later be published to social platforms.
The media workflow sends user-selected local files to a PostFast-provided S3 signed URL. The destination is disclosed and purpose-aligned, but uploaded files leave the local environment.
PostFast uses a 3-step media upload process ... Upload File to S3 ... --data-binary @/path/to/file.png
Only upload files intended for posting, verify file paths before upload, and avoid sending private or confidential media by mistake.
A bad caption, wrong account ID, or unsuitable platform setting could be replicated across several social channels.
A single batch request can affect multiple connected accounts or platforms, and shared controls may apply broadly.
Cross-posting: Add multiple objects to the `posts` array, each with different `socialMediaId`. The `controls` object applies to all posts in the batch.
Double-check each target account and platform-specific control before batch scheduling or cross-posting.