← Back to Skills Marketplace
nyamiresepdapur-droid

POST AI Automation

by nyamiresepdapur-droid · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
379
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install postai-automation
Description
Automate TikTok and Instagram video creation and scheduled posting from one product image using POST AI with customizable styles, captions, and performance t...
Usage Guidance
This skill appears to implement the advertised video-generation and upload workflow, but several issues need attention before you run it: - Expect to provide sensitive credentials: POST AI API key and TikTok/Instagram cookie files/session_id. The code reads them from config.json (plaintext). Prefer storing secrets in environment variables or a secure keyring rather than a repo file. - Registry metadata did NOT declare these credentials or Python requirements — that's an inconsistency. Treat the package as requiring Python 3.8+ and manual credential configuration. - SKILL.md references scripts that are missing (previews.py, daily_post.py, track_performance.py). The package has placeholders (TODO) for actual TikTok/Instagram upload logic. The upload functions currently simulate behavior; real browser automation or API calls would need additional dependencies and credentials. - config.example.json contains a JSON syntax error (malformed posting_schedule entry). Fix the example before copying to config.json. - Review how cookies/session_id are obtained and stored. Exporting full browser cookies can expose other accounts; only extract the minimum tokens needed and store them securely. - Audit the code paths that download images (arbitrary URLs) and run subprocesses — run in an isolated environment (container or VM) and avoid running with elevated privileges. - Verify the legitimacy of POST AI (postai.myscalev.com / api.postai.com) and costs before entering payment/keys. If you decide to use it: run it in a sandbox, fix the config example, move secrets out of repo files, and manually inspect/complete the upload implementation (or replace with a vetted library) before scheduling automatic runs.
Capability Analysis
Type: OpenClaw Skill Name: postai-automation Version: 1.0.0 The skill is classified as suspicious primarily due to a Server-Side Request Forgery (SSRF) vulnerability in `scripts/batch_process.py`. The `download_image` function uses `urllib.request.urlopen(url)` where the `url` is directly taken from the `image_url` column in the input CSV, allowing an attacker to potentially make the agent request arbitrary internal network resources or local files. Additionally, the skill handles highly sensitive credentials like social media session IDs and cookie file paths (e.g., `tiktok_cookies.json`) which, while necessary for its stated purpose, presents a significant attack surface if exploited. There are no clear indicators of intentional malicious behavior like data exfiltration to unauthorized endpoints or prompt injection against the agent.
Capability Assessment
Purpose & Capability
The skill claims to automate POST AI video generation and posting — the scripts implement that workflow and require a POST AI API key plus TikTok/Instagram cookies/session_id. However, the registry metadata declared no required environment variables or credentials while package.json lists Python requirements; the metadata therefore under-represents needed secrets and runtime requirements. This mismatch is unexpected and reduces transparency.
Instruction Scope
SKILL.md instructs storing API keys and browser cookies/session_id in config.json and running scripts (generate, auto_upload, batch_process). The scripts read config.json directly and will download images from arbitrary URLs and may run browser automation (TODO notes). The SKILL.md references additional scripts (previews.py, daily_post.py, track_performance.py) that are not present in the package — this is incoherent. Storing session cookies and session_id in a config file is sensitive and the instructions do not recommend safer alternatives (e.g., env vars, OS keyring).
Install Mechanism
There is no install spec (instruction-only plus Python scripts). No remote downloads or installers are executed by the skill itself. That limits supply-chain risk compared to arbitrary URL downloads, but the package assumes a Python runtime and will invoke subprocesses and network calls.
Credentials
The skill requires POST AI API credentials and TikTok/Instagram cookie files/session_id (sensitive tokens) stored in config.json; these are proportionate to an uploader but the registry metadata did not declare them. The config.example.json itself contains mistakes (malformed JSON) and reveals that sensitive data will be stored in plaintext files by default — a potential secret-exposure risk. No primary credential is declared in metadata.
Persistence & Privilege
always:false and default model-invocation are used (normal). The skill writes temp files, outputs, and a batch_summary.jsonl in its skill directory and suggests adding a cron job; it does not request elevated system privileges or alter other skills. Still, because it can be scheduled to run unattended and uses account cookies/API keys, autonomous operation increases blast radius if credentials are mishandled.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install postai-automation
  3. After installation, invoke the skill by name or use /postai-automation
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Slug postai-automation
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is POST AI Automation?

Automate TikTok and Instagram video creation and scheduled posting from one product image using POST AI with customizable styles, captions, and performance t... It is an AI Agent Skill for Claude Code / OpenClaw, with 379 downloads so far.

How do I install POST AI Automation?

Run "/install postai-automation" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is POST AI Automation free?

Yes, POST AI Automation is completely free (open-source). You can download, install and use it at no cost.

Which platforms does POST AI Automation support?

POST AI Automation is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created POST AI Automation?

It is built and maintained by nyamiresepdapur-droid (@nyamiresepdapur-droid); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments