ClawHub

Posta

v1.2.2

Post to Instagram, TikTok, LinkedIn, YouTube, X/Twitter, Facebook, Pinterest, Threads and Bluesky from your terminal. Create posts with AI-generated images a...

0· 189·0 current·0 all-time
by@stgime
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (social posting, scheduling, analytics, AI image/text generation) align with required binaries (curl, jq), the single primary credential (POSTA_API_TOKEN), and the helper scripts which call the Posta API and optional AI provider APIs.
Instruction Scope
The SKILL.md and scripts limit actions to calling the Posta API, uploading media via signed URLs, and optionally calling Fireworks/Gemini/OpenAI for generation. The helper script reads a small, explicit list of credential files and environment variables. Minor inconsistency: some docs/examples claim the skill searches shell profiles (~/.zshrc, ~/.bashrc), but the actual script's _POSTA_CREDENTIAL_SOURCES does not include those files (the script only checks ~/.posta/credentials and specific .env files). This mismatched documentation should be clarified but does not change the overall scope.
Install Mechanism
Instruction-only skill with shipped helper scripts (no network install, no arbitrary downloads). No install spec that fetches external archives or runs unknown installers.
Credentials
Primary required env is POSTA_API_TOKEN (appropriate). Optional vars (FIREWORKS_API_KEY, GEMINI_API_KEY, OPENAI_API_KEY, POSTA_BASE_URL) are reasonable for AI generation and alternate API endpoints. The script will read the declared .env files and ~/.posta/credentials for these exact variable names only — this is expected, but users should be aware that .env files in the working directory will be inspected for those variables.
Persistence & Privilege
No special platform privileges requested. Token caching is local to /tmp. always is false and the skill does not modify other skills or system-wide configs.
Assessment
This skill appears to do what it claims: manage Posta accounts and optionally call AI services for content. Before installing: 1) Only provide POSTA_API_TOKEN if you trust the Posta service; tokens are cached in /tmp for the session so revoke them if exposed. 2) Be aware the helper reads ~/.posta/credentials and .env/.env.local/.env.production in the working directory for exact variable names (it will not read other files), so avoid storing unrelated secrets in those files in projects you use with this skill. 3) The docs inconsistently mention searching shell profiles; in practice the shipped script does not read ~/.bashrc or ~/.zshrc — verify the version you install if this matters. 4) If you enable AI generation, you’ll need to supply FIREWORKS_API_KEY / GEMINI_API_KEY / OPENAI_API_KEY and the skill will make network calls to those external APIs. 5) Review the GitHub source (homepage) if you want additional assurance; revoke any tokens you test with if you suspect exposure.

Like a lobster shell, security has layers — review code before you run it.

automationvk973vg99b6s86s52n4bkp9q2xd8304csinstagramvk973vg99b6s86s52n4bkp9q2xd8304cslatestvk973vg99b6s86s52n4bkp9q2xd8304csschedulingvk973vg99b6s86s52n4bkp9q2xd8304cssocial-mediavk973vg99b6s86s52n4bkp9q2xd8304cstiktokvk973vg99b6s86s52n4bkp9q2xd8304cs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq
EnvPOSTA_API_TOKEN
Primary envPOSTA_API_TOKEN

Comments