Supapost
v1.0.1Generate AI images and video, build TikTok slideshows, manage AI influencers, and schedule posts to TikTok / Instagram / YouTube / X through the Supapost MCP...
⭐ 0· 39·0 current·0 all-time
bySupapost@supapost-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, declared tools, and required environment (SUPAPOST_API_KEY) are consistent: the skill is about generating and scheduling social content via the Supapost MCP and only needs the service API key. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructions stay within the domain of connecting to the Supapost MCP, generating assets, and scheduling/publishing posts. It instructs resolving ids via list_* calls and to confirm destructive actions. It does not instruct reading unrelated files or exfiltrating system secrets.
Install Mechanism
The skill is instruction-only (no install spec), which is low-risk. However the docs suggest optional commands that invoke npx (e.g., npx skills add, npx -y @supapost/mcp) and downloading a raw SKILL.md from supapo.st; running npx pulls and executes code from npm at runtime—this is optional but worth treating as a potential execution risk if you follow those steps.
Credentials
Only SUPAPOST_API_KEY is required and is the declared primary credential. That is proportional for a service that schedules and publishes social posts. The SKILL.md explicitly warns not to leak the key and keeps credential handling limited to MCP env headers.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. Normal autonomous invocation is allowed (platform default). Be aware that the SUPAPOST_API_KEY grants the ability to create/schedule/publish content to connected social accounts, so protect the key and only grant it to agents you trust.
Assessment
This skill appears to be what it claims: it needs only your Supapost API key to generate and schedule content. Before installing, verify the MCP server URL (https://mcp.supapo.st) and that the supapo.st domain is legitimate for your organization. Treat the SUPAPOST_API_KEY like any posting credential: only provide it if you trust the agent to create/schedule posts, and prefer a scoped/revocable key if available. Avoid blindly running suggested npx commands unless you trust the npm package and source; running npx will execute remote code. If you grant the key and later suspect misuse, revoke it from https://supapo.st/settings/developer.Like a lobster shell, security has layers — review code before you run it.
latestvk976ptb0k6dzy9s3mz3qwsfjph84tb9zmcpvk976ptb0k6dzy9s3mz3qwsfjph84tb9zpost schedulingvk976ptb0k6dzy9s3mz3qwsfjph84tb9ztiktokvk976ptb0k6dzy9s3mz3qwsfjph84tb9z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvSUPAPOST_API_KEY
Primary envSUPAPOST_API_KEY