Postqued API
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a documentation-only PostQued API integration that clearly describes using a PostQued API key to upload and publish social media content, with no hidden code, but users should review any publish actions carefully.
This skill appears coherent and instruction-only. Before using it, make sure you trust PostQued with the media and social account access, store the API key securely, and ask the agent to confirm content, account, timing, and privacy before any direct publish action.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with access to the API key may be able to act on the connected PostQued account within the key’s permissions.
The skill requires a bearer API key that can authorize PostQued actions. This is expected for the integration, but it is account authority that should be treated as sensitive; the provided metadata also lists no required env vars or primary credential.
Add your PostQued API key to your workspace `.env` file: `POSTQUED_API_KEY=pq_your_api_key_here` ... `Authorization: Bearer $POSTQUED_API_KEY`
Use a scoped PostQued key if available, store it securely, avoid sharing logs containing the Authorization header, and revoke or rotate the key if it may have been exposed.
A mistaken API call could post content to a connected social account or schedule it at the wrong time.
The skill documents API calls that can publish or immediately dispatch social media content. This matches the stated purpose, but it is a high-impact action if used without the user confirming account, content, timing, and visibility.
`intent`: `publish` - Direct publish to user's TikTok profile ... Set to `null` for immediate dispatch.
Require explicit confirmation before direct publishing, verify the target account and privacy settings, and prefer draft mode unless the user clearly requests publication.
Uploaded videos or images leave the local environment and may be processed or retained by PostQued and downstream platforms.
The workflow sends selected media files to PostQued or a presigned upload URL. This is normal for a social media scheduling API, but it is an external provider data flow.
curl -X PUT "PRESIGNED_URL" ... `--data-binary @video.mp4` ... `-F "file=@image.jpg"`
Upload only intended files, verify the destination URL came from PostQued’s upload response, and avoid including private or sensitive media unless appropriate.