ClawHub

Postqued API

v1.0.6

PostQued social media scheduling API integration. Use when performing API calls to PostQued for content upload, publishing to TikTok (and other platforms), m...

2· 582·0 current·0 all-time
byHasnain@syeddhasnainn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a PostQued API integration (uploading, scheduling, TikTok publish) which is coherent with the skill name/description, but the declared registry metadata lists no required env vars or primary credential while the runtime instructions explicitly require POSTQUED_API_KEY. That metadata/requirement mismatch is an incoherence.
Instruction Scope
The instructions are narrowly scoped to API calls (upload/publish/status) and do not instruct the agent to read unrelated system files or exfiltrate data. However, they tell the user/agent to add a POSTQUED_API_KEY to the workspace .env and reference a local file (references/api.md) that is not present in the bundle, which suggests the instructions assume local workspace changes and missing documentation.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes installation risk because nothing is downloaded or written by an installer step.
!
Credentials
The skill requires a single service API key (POSTQUED_API_KEY) according to SKILL.md, which is reasonable for this purpose — but the registry metadata does not declare this required env var or a primaryEnv. The omission is disproportionate and makes it unclear what secrets the platform should expect or protect. Storing the key in a workspace .env is also a potential exposure if other skills or processes have access.
Persistence & Privilege
The skill is not marked always:true and is user-invocable only; it does not request persistent system-wide privileges or modify other skills' configuration in its instructions.
What to consider before installing
This skill appears to be an instruction-only PostQued API helper and mostly does what it claims, but there are some red flags you should consider before installing: (1) The SKILL.md tells you to add POSTQUED_API_KEY to your workspace .env, yet the registry metadata does not declare that required env var or a primary credential — ask the publisher to correct the metadata so the platform can protect that secret. (2) The skill's source/homepage is unknown and it references a local file (references/api.md) that isn't bundled; prefer skills from identifiable authors or with published docs. (3) If you decide to use it, create a least-privilege PostQued API key (scoped/rotatable) and avoid storing high-privilege credentials in shared .env files. (4) Consider testing in an isolated workspace or sandbox and verify network calls (domain is api.postqued.com) before allowing autonomous invocation. If the publisher cannot explain the metadata omission and provenance, treat the skill with caution or avoid installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970gr4qfpyegemjn9bqfq4zcs81d4rp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments