Upload Videos🎥, Photos📸 & Text🖊️ to TikTok, Instagram, YouTube, X, LinkedIn, Facebook, Threads, Pinterest, Reddit & Bluesky via Upload-Post API
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent and not clearly malicious, but it can publish or schedule content across connected social accounts through a third-party API without artifact-visible confirmation or credential-scoping safeguards.
Use this only if you trust Upload-Post with the accounts and content involved. Create a dedicated limited profile/key, confirm the exact media/text, platforms, profile, visibility, and schedule before every post, review scheduled jobs, and revoke or rotate the API key when no longer needed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An ambiguous or mistaken agent action could publish content, change scheduled posts, or cancel scheduled posts on connected social accounts.
The skill exposes API operations that can create, edit, or cancel public/social posts. The artifact does not add a confirmation or preview requirement before these high-impact actions.
`/upload_videos` | POST | Upload videos ... `/upload_text` | POST | Text-only posts ... `/uploadposts/schedule/<job_id>` | DELETE | Cancel scheduled post ... PATCH | Edit scheduled post
Require explicit user confirmation of exact content, profile, platforms, visibility, and timing before any POST, PATCH, or DELETE request.
A broadly scoped Upload-Post API key could let the agent post to, schedule for, or read history/analytics from multiple connected accounts.
The API key and profile can act on linked social accounts, but the registry metadata declares no primary credential and the instructions do not clearly bound account scope or privilege.
Connect your social media accounts ... Generate an API Key ... The `user` parameter ... determines which connected social accounts receive the content.
Use a dedicated Upload-Post profile and least-privilege API key, store it securely, rotate it if exposed, and declare the credential requirement clearly.
A mistaken post could be amplified across many social platforms, creating reputational or compliance impact before the user notices.
A single wrong profile, platform list, caption, or media file could propagate the same mistake across several public channels at once.
Post content to multiple social media platforms with a single API call.
Confirm each target platform and profile before posting, and consider using drafts/private visibility where the platform supports it.
Private or unpublished media could be uploaded to the provider if the wrong file is selected.
The skill sends user-selected media and post metadata to the Upload-Post API. This is expected for the integration, but it is still a third-party data flow.
curl -X POST "https://api.upload-post.com/api/upload_videos" ... -F "video=@video.mp4"
Only upload intended files, avoid confidential documents unless appropriate, and review the provider's privacy and retention practices.
A scheduled or async post may publish later even after the user has moved on, unless it is reviewed or canceled.
Scheduled and asynchronous uploads are disclosed and purpose-aligned, but they can cause posting activity to occur later or outside the immediate chat turn.
`scheduled_date`: ISO-8601 date for scheduling ... `async_upload`: Set `true` for background processing
Review scheduled jobs after creation and cancel anything unexpected using the documented schedule management endpoint.