Upload Videos🎥, Photos📸 & Text🖊️ to TikTok, Instagram, YouTube, X, LinkedIn, Facebook, Threads, Pinterest, Reddit & Bluesky via Upload-Post API
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: upload-post Version: 1.0.0 The skill bundle describes an API for uploading content to social media platforms. All API calls are directed to the `upload-post.com` domain, and the `SKILL.md` file provides clear documentation and `curl` examples without any evidence of prompt injection against the agent, local malicious execution, or data exfiltration. While the FFmpeg endpoint allows for custom command execution, this occurs remotely on the `upload-post.com` server, not locally by the agent, and is a described feature of the API rather than an instruction for malicious behavior by the skill itself. The skill's behavior is clearly aligned with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An ambiguous or mistaken agent action could publish content, change scheduled posts, or cancel scheduled posts on connected social accounts.
The skill exposes API operations that can create, edit, or cancel public/social posts. The artifact does not add a confirmation or preview requirement before these high-impact actions.
`/upload_videos` | POST | Upload videos ... `/upload_text` | POST | Text-only posts ... `/uploadposts/schedule/<job_id>` | DELETE | Cancel scheduled post ... PATCH | Edit scheduled post
Require explicit user confirmation of exact content, profile, platforms, visibility, and timing before any POST, PATCH, or DELETE request.
A broadly scoped Upload-Post API key could let the agent post to, schedule for, or read history/analytics from multiple connected accounts.
The API key and profile can act on linked social accounts, but the registry metadata declares no primary credential and the instructions do not clearly bound account scope or privilege.
Connect your social media accounts ... Generate an API Key ... The `user` parameter ... determines which connected social accounts receive the content.
Use a dedicated Upload-Post profile and least-privilege API key, store it securely, rotate it if exposed, and declare the credential requirement clearly.
A mistaken post could be amplified across many social platforms, creating reputational or compliance impact before the user notices.
A single wrong profile, platform list, caption, or media file could propagate the same mistake across several public channels at once.
Post content to multiple social media platforms with a single API call.
Confirm each target platform and profile before posting, and consider using drafts/private visibility where the platform supports it.
Private or unpublished media could be uploaded to the provider if the wrong file is selected.
The skill sends user-selected media and post metadata to the Upload-Post API. This is expected for the integration, but it is still a third-party data flow.
curl -X POST "https://api.upload-post.com/api/upload_videos" ... -F "video=@video.mp4"
Only upload intended files, avoid confidential documents unless appropriate, and review the provider's privacy and retention practices.
A scheduled or async post may publish later even after the user has moved on, unless it is reviewed or canceled.
Scheduled and asynchronous uploads are disclosed and purpose-aligned, but they can cause posting activity to occur later or outside the immediate chat turn.
`scheduled_date`: ISO-8601 date for scheduling ... `async_upload`: Set `true` for background processing
Review scheduled jobs after creation and cancel anything unexpected using the documented schedule management endpoint.