Repliz Api
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a real Repliz integration, but it gives the agent broad social-media posting, reply, and deletion authority without clear confirmation or token-handling guardrails.
Install only if you trust the Repliz account and are comfortable giving the agent access to connected social media accounts. Before using it, set strict personal rules to confirm every post, reply, deletion, account ID, and schedule time, and never let the agent print or store API keys or access tokens.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could publish or schedule content, reply publicly, or remove scheduled content on connected social accounts if it acts on an ambiguous or mistaken request.
The skill exposes API operations that create scheduled social posts, delete scheduled posts, and reply to comments, but the provided instructions do not define user-confirmation, preview, or account-selection safeguards.
**POST /public/schedule** ... **DELETE /public/schedule/{_id}** - Delete scheduled post (cannot be recovered) ... **POST /public/queue/{_id}** - Reply to commentAdd explicit guardrails requiring user confirmation before every POST or DELETE action, including the target account, exact content, scheduled time, and whether the action is reversible.
If credentials or returned access tokens are exposed in chat, logs, or outputs, someone could potentially misuse them to manage or post to connected social accounts.
The required Repliz credentials grant broad delegated authority, and the account endpoint may expose an underlying posting token without any redaction or handling instructions.
Store these credentials securely - they grant access to post, delete, and manage your social media content ... Returns full account info including `token.access` for posting
Use least-privilege Repliz credentials where available, avoid retrieving or displaying `token.access` unless strictly necessary, and redact credentials or tokens from all responses and logs.