Metricool
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could queue a public social post to the wrong connected brand or multiple platforms if it invokes the script with incomplete or mistaken inputs.
If the caller omits blogId, the script auto-selects the first Metricool brand and then sends a POST request to schedule content, without a separate confirmation or dry-run step.
if (!blogId) { ... const brand = await getFirstBrandId(token, userId); blogId = brand.id; ... } ... metricoolRequest(`/scheduler/posts?blogId=${blogId}`, 'POST', scheduleData, token, userId)Require explicit user confirmation of brand, platforms, text, date/time, and media before scheduling; avoid auto-selecting the first brand for write actions.
Anyone or any agent with access to these credentials may be able to view or schedule content through the user’s Metricool account.
The skill requires a Metricool API token and user identifier, which is expected for the stated integration but grants authority over connected social accounts.
"METRICOOL_USER_TOKEN": "your-api-token", "METRICOOL_USER_ID": "your@email.com"
Store the token securely, use the least-privileged token available, rotate it if exposed, and consider manual invocation only for posting actions.
Users have less provenance information for a skill that can act on social media accounts.
The artifacts do not provide a verifiable upstream source or homepage for the skill, though the included code is visible and there is no install script.
Source: unknown Homepage: none
Review the included scripts before installation and prefer a verified source or publisher when using account-mutating integrations.