Postproxy
Call PostProxy API to create and manage social media posts
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 2 · 1.3k · 1 current installs · 1 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes calling the PostProxy API to manage social posts, which matches the skill name and description. However, the package metadata declared no required environment variables or primary credential while the instructions explicitly require POSTPROXY_API_KEY — a manifest/instructions mismatch.
Instruction Scope
Instructions are concrete curl examples covering listing, creating, scheduling, publishing, and deleting posts and include multipart file uploads from local paths (media[]=@/path/to/image.jpg). That is coherent with the purpose but has privacy implications: local files referenced by the agent could be uploaded to an external service. The SKILL.md also uses an $ARGUMENTS placeholder (open-ended) which could cause broader input being sent to the API if not constrained.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is written to disk by an installer. This is the lowest-risk install model.
Credentials
The skill requires a single service credential (POSTPROXY_API_KEY) in the instructions, which is proportionate to the stated purpose. But the registry metadata did not declare this required env var or a primary credential, creating an inconsistency. Also, having that API key available to the agent allows the skill to act on behalf of the user (including uploading content), so users should ensure the key is only set when they intend to allow those operations.
Persistence & Privilege
The skill does not set always:true (good) but also does not disable model invocation, meaning the model could call it autonomously and use any POSTPROXY_API_KEY present in the environment. That combination (model-invocable + access to an external API key) increases risk of unexpected API calls.
What to consider before installing
This skill appears to do what it says (call the PostProxy API), but the manifest omits the required POSTPROXY_API_KEY and the runtime instructions allow uploading local files to an external service. Before installing: (1) only set POSTPROXY_API_KEY in the agent environment if you trust the skill/source; (2) be aware that using the skill or allowing the model to invoke it may cause local files referenced by the agent to be uploaded to PostProxy; (3) if you want to prevent autonomous use, disable model invocation for the skill or avoid placing the API key in the agent environment; (4) prefer skills with matching declared requirements and a known/trusted source. If you need higher assurance, ask the publisher to update the manifest to declare POSTPROXY_API_KEY and to document file-upload behavior and invocation constraints.Like a lobster shell, security has layers — review code before you run it.
Current versionv0.1.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
PostProxy API Skill
Call the PostProxy API to manage social media posts across multiple platforms (Facebook, Instagram, TikTok, LinkedIn, YouTube, X/Twitter, Threads).
Setup
API key must be set in environment variable POSTPROXY_API_KEY.
Get your API key at: https://app.postproxy.dev/api_keys
Base URL
https://api.postproxy.dev
Authentication
All requests require Bearer token:
-H "Authorization: Bearer $POSTPROXY_API_KEY"
Endpoints
List Profiles
curl -X GET "https://api.postproxy.dev/api/profiles" \
-H "Authorization: Bearer $POSTPROXY_API_KEY"
List Posts
curl -X GET "https://api.postproxy.dev/api/posts" \
-H "Authorization: Bearer $POSTPROXY_API_KEY"
Get Post
curl -X GET "https://api.postproxy.dev/api/posts/{id}" \
-H "Authorization: Bearer $POSTPROXY_API_KEY"
Create Post (JSON with media URLs)
curl -X POST "https://api.postproxy.dev/api/posts" \
-H "Authorization: Bearer $POSTPROXY_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"post": {
"body": "Post content here"
},
"profiles": ["twitter", "linkedin", "threads"],
"media": ["https://example.com/image.jpg"]
}'
Create Post (File Upload)
Use multipart form data to upload local files:
curl -X POST "https://api.postproxy.dev/api/posts" \
-H "Authorization: Bearer $POSTPROXY_API_KEY" \
-F "post[body]=Check out this image!" \
-F "profiles[]=instagram" \
-F "profiles[]=twitter" \
-F "media[]=@/path/to/image.jpg" \
-F "media[]=@/path/to/image2.png"
Create Draft
Add post[draft]=true to create without publishing:
curl -X POST "https://api.postproxy.dev/api/posts" \
-H "Authorization: Bearer $POSTPROXY_API_KEY" \
-F "post[body]=Draft post content" \
-F "profiles[]=twitter" \
-F "media[]=@/path/to/image.jpg" \
-F "post[draft]=true"
Publish Draft
curl -X POST "https://api.postproxy.dev/api/posts/{id}/publish" \
-H "Authorization: Bearer $POSTPROXY_API_KEY"
Profile options: facebook, instagram, tiktok, linkedin, youtube, twitter, threads (or use profile IDs)
Schedule Post
Add scheduled_at to post object:
curl -X POST "https://api.postproxy.dev/api/posts" \
-H "Authorization: Bearer $POSTPROXY_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"post": {
"body": "Scheduled post",
"scheduled_at": "2024-01-16T09:00:00Z"
},
"profiles": ["twitter"]
}'
Delete Post
curl -X DELETE "https://api.postproxy.dev/api/posts/{id}" \
-H "Authorization: Bearer $POSTPROXY_API_KEY"
Platform-Specific Parameters
For Instagram, TikTok, YouTube, add platforms object:
{
"platforms": {
"instagram": { "format": "reel", "first_comment": "Link in bio!" },
"youtube": { "title": "Video Title", "privacy_status": "public" },
"tiktok": { "privacy_status": "PUBLIC_TO_EVERYONE" }
}
}
User Request
$ARGUMENTS
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…