ClawHub

Postiz is a tool to schedule social media and chat posts to 28+ channels X, LinkedIn, LinkedIn Page, Reddit, Instagram, Facebook Page, Threads, YouTube, Google My Business, TikTok, Pinterest, Dribbble, Discord, Slack, Kick, Twitch, Mastodon, Bluesky, Lemmy, Farcaster, Telegram, Nostr, VK, Medium, Dev.to, Hashnode, WordPress, ListMonk

v1.0.15

Postiz is a tool to schedule social media and chat posts to 28+ channels X, LinkedIn, LinkedIn Page, Reddit, Instagram, Facebook Page, Threads, YouTube, Goog...

31· 8.3k·47 current·48 all-time
by@nevo-david
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, declared env vars (POSTIZ_API_KEY, POSTIZ_API_URL), and the CLI commands in SKILL.md all align: this is a CLI for the Postiz API and needs an API key and optional custom API URL. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md is an instruction-only skill that tells the agent to install and run the official postiz CLI and to authenticate before any action. It references expected artifacts (e.g., ~/.postiz/credentials.json for OAuth) and typical CLI commands. This stays within the claimed scope; note that it instructs storing credentials locally (credentials.json) and suggests adding an export line to shell RC files for persistence.
Install Mechanism
No registry install spec is embedded in the skill bundle (instruction-only), but the SKILL.md recommends installing a published npm package (npmjs and GitHub links are provided). Installing a global npm package is expected for a CLI, but as with any third-party npm package you should verify the package published to npm/github is authentic before installing globally.
Credentials
Only POSTIZ_API_KEY is required and POSTIZ_API_URL optional. OAuth credentials are stored in ~/.postiz/credentials.json per the CLI behavior. The requested environment access is minimal and directly related to the stated functionality.
Persistence & Privilege
always:false and user-invocable:true (normal). The skill's instructions encourage persisting credentials (OAuth file in home) and adding export lines to shell startup files — these are standard for CLI tools but are persistent actions the user should consciously approve.
Assessment
This skill is internally consistent for a Postiz CLI integration, but take these precautions before installing or running it: - Verify the npm package and GitHub repository (https://www.npmjs.com/package/postiz and https://github.com/gitroomhq/postiz-app) actually belong to the project you expect — check stars, recent commits, and publisher identity. - Prefer the OAuth device flow (postiz auth:login) rather than pasting long-lived API keys into ephemeral contexts. If you must use POSTIZ_API_KEY, create a least-privilege key and store it securely. - Be aware the CLI will store OAuth tokens at ~/.postiz/credentials.json and may suggest adding export lines to your shell rc (e.g., ~/.bashrc). Only persist secrets you trust and ensure file permissions are appropriate (restrict to your user). - When using POSTIZ_API_URL, confirm the URL is the official API endpoint; avoid pointing the CLI to third-party URLs you don't control, as that could leak credentials. - If you plan to install globally (npm install -g), consider auditing the package contents or running it in an isolated environment (container or VM) first. If you want more assurance, request the package's published maintainer details and a quick review of the package contents on npm/GitHub before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9742vba1m112dqh80zdfkme8s84bmr3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌎 Clawdis
EnvPOSTIZ_API_URL, POSTIZ_API_KEY

Comments