Repliz Api
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could publish or schedule content, reply publicly, or remove scheduled content on connected social accounts if it acts on an ambiguous or mistaken request.
The skill exposes API operations that create scheduled social posts, delete scheduled posts, and reply to comments, but the provided instructions do not define user-confirmation, preview, or account-selection safeguards.
**POST /public/schedule** ... **DELETE /public/schedule/{_id}** - Delete scheduled post (cannot be recovered) ... **POST /public/queue/{_id}** - Reply to commentAdd explicit guardrails requiring user confirmation before every POST or DELETE action, including the target account, exact content, scheduled time, and whether the action is reversible.
If credentials or returned access tokens are exposed in chat, logs, or outputs, someone could potentially misuse them to manage or post to connected social accounts.
The required Repliz credentials grant broad delegated authority, and the account endpoint may expose an underlying posting token without any redaction or handling instructions.
Store these credentials securely - they grant access to post, delete, and manage your social media content ... Returns full account info including `token.access` for posting
Use least-privilege Repliz credentials where available, avoid retrieving or displaying `token.access` unless strictly necessary, and redact credentials or tokens from all responses and logs.