Security audit
Postzee — AI Social Media Studio
Security checks across malware telemetry and agentic risk
Overview
The plugin's code, instructions, and configuration align with its stated purpose: it asks for a Postzee API key in the plugin config and only calls Postzee's public API to generate media and post to connected channels.
This plugin appears to do what it says: it needs your Postzee API key in the OpenClaw plugin config and then calls Postzee's API to generate media and post to channels. Before installing: 1) Confirm you trust Postzee and that the API key you provide has only the necessary scope; 2) Be aware the SKILL.md allows automated generate-and-post flows (the agent may perform generate+publish sequences when intent is clear) — if you need manual approval before publishing, plan to require confirmations or adjust agent behavior; 3) Monitor credits to avoid unexpected charges; 4) If you want extra assurance, review the plugin source (dist/index.js / src/index.ts) yourself to verify the API endpoints and header usage (it posts to api.postzee.app and sends the configured API key in the Authorization header).
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
