Publora Mastodon

ReviewAudited by ClawScan on May 1, 2026.

Overview

This is a straightforward instruction-only Publora/Mastodon posting guide, but it uses a Publora API key to create public or scheduled Fediverse posts.

Before installing or using this skill, make sure you trust the Publora workflow, protect your Publora API key, and require confirmation of the exact post content, media, account, and schedule before any public Mastodon/Fediverse publication.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

If used with the wrong content, account, or timing, the agent could publish or schedule an unwanted Mastodon post.

Why it was flagged

The skill documents a direct API call that creates a Mastodon post. This is central to the stated purpose, but it is a public account action and should be user-approved.

Skill content

await fetch('https://api.publora.com/api/v1/create-post', { method: 'POST' ... platforms: ['mastodon-123456789'] })

Recommendation

Only use the skill after confirming the final post text, media, target Mastodon account/platform ID, and scheduled time with the user.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Anyone or any agent with the key may be able to create or schedule posts through the connected Publora account.

Why it was flagged

The skill requires a Publora API key to act on the user's Publora-connected Mastodon account. This is expected for the integration, but it is still account authority.

Skill content

**Header:** `x-publora-key: sk_YOUR_KEY`

Recommendation

Store the Publora key securely, avoid pasting real keys into shared chats or logs, and use the least-privileged/revocable key Publora supports.

Low

#ASI08: Cascading Failures

What this means

A mistaken post may be copied or seen across federated servers, making it harder to contain after publication.

Why it was flagged

The artifact explicitly notes that posts can propagate beyond mastodon.social to the broader Fediverse, increasing the impact of accidental or unwanted publication.

Skill content

- **Federation**: Posts federate automatically to the broader Fediverse

Recommendation

Review public visibility and wording carefully before posting, especially for sensitive, private, or time-dependent content.