Repliz Api
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: repliz Version: 1.0.2 The skill bundle provides an API integration for Repliz social media management. It clearly defines its purpose, required environment variables (REPLIZ_ACCESS_KEY, REPLIZ_SECRET_KEY), and API endpoints for managing social media accounts, schedules, and comments. There is no evidence of intentional harmful behavior, data exfiltration to unauthorized third parties, persistence mechanisms, or prompt injection attempts in SKILL.md designed to subvert the agent for malicious ends. All external URLs point to the stated service, repliz.com.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could publish or schedule content, reply publicly, or remove scheduled content on connected social accounts if it acts on an ambiguous or mistaken request.
The skill exposes API operations that create scheduled social posts, delete scheduled posts, and reply to comments, but the provided instructions do not define user-confirmation, preview, or account-selection safeguards.
**POST /public/schedule** ... **DELETE /public/schedule/{_id}** - Delete scheduled post (cannot be recovered) ... **POST /public/queue/{_id}** - Reply to commentAdd explicit guardrails requiring user confirmation before every POST or DELETE action, including the target account, exact content, scheduled time, and whether the action is reversible.
If credentials or returned access tokens are exposed in chat, logs, or outputs, someone could potentially misuse them to manage or post to connected social accounts.
The required Repliz credentials grant broad delegated authority, and the account endpoint may expose an underlying posting token without any redaction or handling instructions.
Store these credentials securely - they grant access to post, delete, and manage your social media content ... Returns full account info including `token.access` for posting
Use least-privilege Repliz credentials where available, avoid retrieving or displaying `token.access` unless strictly necessary, and redact credentials or tokens from all responses and logs.