Postqued API
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: postqued-api Version: 1.0.6 The skill bundle is benign. All instructions and `curl` commands in SKILL.md are directly related to interacting with the legitimate PostQued API (api.postqued.com) for content upload and publishing. Authentication relies on an environment variable (`POSTQUED_API_KEY`), and file system access is required only for reading content to be uploaded, which is a necessary and expected behavior for a social media publishing skill. There is no evidence of prompt injection attempts, data exfiltration, malicious execution, persistence mechanisms, or any other harmful intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with access to the API key may be able to act on the connected PostQued account within the key’s permissions.
The skill requires a bearer API key that can authorize PostQued actions. This is expected for the integration, but it is account authority that should be treated as sensitive; the provided metadata also lists no required env vars or primary credential.
Add your PostQued API key to your workspace `.env` file: `POSTQUED_API_KEY=pq_your_api_key_here` ... `Authorization: Bearer $POSTQUED_API_KEY`
Use a scoped PostQued key if available, store it securely, avoid sharing logs containing the Authorization header, and revoke or rotate the key if it may have been exposed.
A mistaken API call could post content to a connected social account or schedule it at the wrong time.
The skill documents API calls that can publish or immediately dispatch social media content. This matches the stated purpose, but it is a high-impact action if used without the user confirming account, content, timing, and visibility.
`intent`: `publish` - Direct publish to user's TikTok profile ... Set to `null` for immediate dispatch.
Require explicit confirmation before direct publishing, verify the target account and privacy settings, and prefer draft mode unless the user clearly requests publication.
Uploaded videos or images leave the local environment and may be processed or retained by PostQued and downstream platforms.
The workflow sends selected media files to PostQued or a presigned upload URL. This is normal for a social media scheduling API, but it is an external provider data flow.
curl -X PUT "PRESIGNED_URL" ... `--data-binary @video.mp4` ... `-F "file=@image.jpg"`
Upload only intended files, verify the destination URL came from PostQued’s upload response, and avoid including private or sensitive media unless appropriate.