ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Postproxy

Call PostProxy API to create and manage social media posts

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.4k · 3 current installs · 3 all-time installs
by@danbaranov
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes exactly how to call the PostProxy API (endpoints, bearer auth, payloads) which is coherent with the name/description. However the registry metadata lists no required env vars/credentials while the instructions require POSTPROXY_API_KEY — a clear metadata/instruction mismatch that should be corrected.
!
Instruction Scope
The instructions instruct using curl with a Bearer token and include examples for multipart file uploads (e.g., -F "media[]=@/path/to/image.jpg"). That implies the agent will read local filesystem paths supplied to it. The SKILL.md also expects the POSTPROXY_API_KEY from the environment. The skill does not instruct collecting other unrelated system files, but the file-upload examples mean the agent may be asked to access arbitrary local files — a privacy/exfiltration risk if misused.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an installer. That is the lowest-risk install model.
!
Credentials
Requesting a single service API key (POSTPROXY_API_KEY) is proportionate for an API client. The concern is that the registry metadata does not declare this required environment variable while the SKILL.md requires it — a mismatch that could cause users to unknowingly provide credentials. Additionally, because examples show uploading local files, a provided API key could be used to transmit files from the host if the agent is instructed to do so.
Persistence & Privilege
The skill does not request always: true, has no install behavior, and does not claim to modify other skills or system-wide settings. Normal autonomous invocation is enabled (platform default) and not in itself a red flag here.
What to consider before installing
This skill appears to be a simple PostProxy API wrapper, but take these precautions: (1) The SKILL.md requires POSTPROXY_API_KEY but the registry metadata doesn't declare it — confirm with the author before supplying credentials. (2) The examples show uploading local files (media[]=@/path/to/file); avoid giving the skill broad filesystem access or uploading sensitive files. (3) There is no source or homepage listed — try to verify the publisher and the service (https://app.postproxy.dev) and prefer using a scoped/limited API key or a test account. (4) If you install, start in a sandboxed environment and monitor network calls; revoke the key if behavior is unexpected.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk977yw6ychrpmvqfw5sjm2jp5980kch1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

PostProxy API Skill

Call the PostProxy API to manage social media posts across multiple platforms (Facebook, Instagram, TikTok, LinkedIn, YouTube, X/Twitter, Threads).

Setup

API key must be set in environment variable POSTPROXY_API_KEY. Get your API key at: https://app.postproxy.dev/api_keys

Base URL

https://api.postproxy.dev

Authentication

All requests require Bearer token:

-H "Authorization: Bearer $POSTPROXY_API_KEY"

Endpoints

List Profiles

curl -X GET "https://api.postproxy.dev/api/profiles" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY"

List Posts

curl -X GET "https://api.postproxy.dev/api/posts" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY"

Get Post

curl -X GET "https://api.postproxy.dev/api/posts/{id}" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY"

Create Post (JSON with media URLs)

curl -X POST "https://api.postproxy.dev/api/posts" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "post": {
      "body": "Post content here"
    },
    "profiles": ["twitter", "linkedin", "threads"],
    "media": ["https://example.com/image.jpg"]
  }'

Create Post (File Upload)

Use multipart form data to upload local files:

curl -X POST "https://api.postproxy.dev/api/posts" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY" \
  -F "post[body]=Check out this image!" \
  -F "profiles[]=instagram" \
  -F "profiles[]=twitter" \
  -F "media[]=@/path/to/image.jpg" \
  -F "media[]=@/path/to/image2.png"

Create Draft

Add post[draft]=true to create without publishing:

curl -X POST "https://api.postproxy.dev/api/posts" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY" \
  -F "post[body]=Draft post content" \
  -F "profiles[]=twitter" \
  -F "media[]=@/path/to/image.jpg" \
  -F "post[draft]=true"

Publish Draft

curl -X POST "https://api.postproxy.dev/api/posts/{id}/publish" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY"

Profile options: facebook, instagram, tiktok, linkedin, youtube, twitter, threads (or use profile IDs)

Schedule Post

Add scheduled_at to post object:

curl -X POST "https://api.postproxy.dev/api/posts" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "post": {
      "body": "Scheduled post",
      "scheduled_at": "2024-01-16T09:00:00Z"
    },
    "profiles": ["twitter"]
  }'

Delete Post

curl -X DELETE "https://api.postproxy.dev/api/posts/{id}" \
  -H "Authorization: Bearer $POSTPROXY_API_KEY"

Platform-Specific Parameters

For Instagram, TikTok, YouTube, add platforms object:

{
  "platforms": {
    "instagram": { "format": "reel", "first_comment": "Link in bio!" },
    "youtube": { "title": "Video Title", "privacy_status": "public" },
    "tiktok": { "privacy_status": "PUBLIC_TO_EVERYONE" }
  }
}

User Request

$ARGUMENTS

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…