Social Posting

The skill's documentation describes storing and using sensitive credentials (provider API keys, an encryption key, and a Supabase DB client) but the registry metadata does not declare any required env vars, config paths, or installation steps — these mismatches merit caution before installing or using the skill.

Do not install blindly. Ask the skill author to clarify and/or provide: (1) an updated registry manifest that declares required environment variables (POSTFORME_API_KEY, LATE_API_KEY, ENCRYPTION_KEY) and any database/config paths; (2) exactly where user OAuth tokens and post history are stored, who controls the ENCRYPTION_KEY, and how users can revoke or delete stored credentials; (3) privacy/security documentation and the official API docs for the two providers (api.postforme.dev and getlate.dev) to verify endpoints; (4) whether the agent will ever prompt you for secrets interactively or expect them as env vars. If you must test, do so in a sandbox account with limited-scope keys (not your primary social or cloud accounts) and confirm that stored credentials can be audited and erased. Because the registry metadata and SKILL.md disagree about required secrets and persistence, treat the skill as untrusted until those gaps are resolved.