Supapost

The skill's declared purpose, single required credential (SUPAPOST_API_KEY), and runtime instructions are internally consistent and proportionate to a Supapost MCP integration.

This skill appears to do what it claims, but before installing: (1) Verify you trust supapost.so and the developer links (check the GitHub repo and the developer settings page) because media and post content will be sent to their MCP server. (2) Treat SUPAPOST_API_KEY like any secret: create a scoped/limited key if possible, avoid pasting it into terminals (which can go into shell history), and be aware it will be stored in your MCP client config (e.g., ~/.cursor/mcp.json) if you follow the documented steps. (3) Confirm what data will be sent to Supapost (images, prompts, scheduled metadata) and whether that matches your privacy/compliance needs. (4) If you are concerned about autonomous usage, note the platform default allows the agent to invoke the skill; restrict or disable autonomous invocation in your agent settings if necessary. (5) Rotate or revoke the key if you suspect exposure and inspect the linked repository and docs for any additional implementation details before trusting the integration.