Publora
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a normal Publora social-posting API guide, but it contains an unsafe ambiguity that could make an agent publish when the user expected a draft.
Install only if you are comfortable giving the agent access to a Publora API key. Before any post operation, explicitly confirm the text, media, platforms, publish/draft status, and schedule time, and verify Publora's real API behavior for drafts versus immediate publishing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following these instructions could publish a social media post publicly when you intended only to save a draft, or could create a draft when you expected an immediate post.
The same omitted field is documented as causing two different high-impact outcomes: immediate public publishing and draft creation.
## Post Immediately Omit `scheduledTime` to publish right away ... ## Save as Draft Omit `scheduledTime` — post is created as draft.
Before use, verify Publora's API behavior and require explicit user confirmation of content, platforms, timing, and status. Do not rely on omitted scheduledTime to distinguish draft versus publish.
A user may not realize they must provide an API key that can operate their Publora workspace and connected social accounts.
The skill clearly needs a Publora API key, but the registry metadata does not declare a credential requirement.
metadata: Primary credential: none; Required env vars: none ... SKILL.md: All requests require the `x-publora-key` header.
Treat the Publora key as sensitive, store it outside chat when possible, use the least-privileged key available, and revoke it if exposed.
Files selected for media posts will be uploaded outside the local environment to Publora/S3 infrastructure.
Media upload sends file bytes to an external pre-signed storage URL. This is expected for social media publishing, but users should notice the data flow.
Step 2: `POST /api/v1/get-upload-url` → get `uploadUrl`
Step 3: `PUT {uploadUrl}` with file bytes (no auth needed for S3)Upload only files intended for publication, verify the destination URL is from the expected Publora workflow, and avoid including private files by accident.