Metricool
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it says, but it can queue public social media posts using stored Metricool credentials and may default to the first brand without a separate confirmation step.
Use this skill only if you are comfortable giving the agent Metricool posting authority. Before allowing scheduling, explicitly confirm the brand/blog ID, platforms, text, media URL, and scheduled time, and keep the API token secured.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could queue a public social post to the wrong connected brand or multiple platforms if it invokes the script with incomplete or mistaken inputs.
If the caller omits blogId, the script auto-selects the first Metricool brand and then sends a POST request to schedule content, without a separate confirmation or dry-run step.
if (!blogId) { ... const brand = await getFirstBrandId(token, userId); blogId = brand.id; ... } ... metricoolRequest(`/scheduler/posts?blogId=${blogId}`, 'POST', scheduleData, token, userId)Require explicit user confirmation of brand, platforms, text, date/time, and media before scheduling; avoid auto-selecting the first brand for write actions.
Anyone or any agent with access to these credentials may be able to view or schedule content through the user’s Metricool account.
The skill requires a Metricool API token and user identifier, which is expected for the stated integration but grants authority over connected social accounts.
"METRICOOL_USER_TOKEN": "your-api-token", "METRICOOL_USER_ID": "your@email.com"
Store the token securely, use the least-privileged token available, rotate it if exposed, and consider manual invocation only for posting actions.
Users have less provenance information for a skill that can act on social media accounts.
The artifacts do not provide a verifiable upstream source or homepage for the skill, though the included code is visible and there is no install script.
Source: unknown Homepage: none
Review the included scripts before installation and prefer a verified source or publisher when using account-mutating integrations.