← 返回 Skills 市场
1462
总下载
2
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install postiz-ext
功能描述
Schedule and manage social media posts via Postiz API (self-hosted or cloud).
Direct API integration — no n8n dependency.
Supports X/Twitter, LinkedIn, Bluesky with platform-specific character limits.
Includes deduplication, scheduling, media upload, and thread creation.
WHAT IT CAN DO:
- Schedule posts to 28+ channels (X, LinkedIn, Bluesky, Reddit, Instagram, Facebook, Threads, YouTube, TikTok, Pinterest, Mastodon, and more)
- Multi-platform posting in a single API call with platform-adapted content
- X/Twitter thread creation for longer content
- Media upload (file and URL)
- Find next available posting slot per channel
- List, query, update, and delete scheduled posts
- Deduplication workflow (check existing before posting)
- Platform-specific character limits and content tone guidance
- Post state management (QUEUE, PUBLISHED, ERROR, DRAFT)
- Helper script for quick posting with auto-validation
USE WHEN: scheduling social media posts, creating multi-platform content, managing a posting calendar, uploading media for social posts, checking post status, creating X/Twitter threads, or automating social media workflows.
安全使用建议
Do not install blindly. Specific recommendations:
- Inspect the two included scripts (scripts/post.py and scripts/check_duplicates.py) before installing: search for network calls, subprocess.exec/OS calls, hard-coded secrets, or code that reads arbitrary files or posts data to remote hosts.
- Treat the hard-coded credential in SKILL.md ([email protected] / Postiz2026!) as sensitive: assume it may be live. If you or your team used these credentials, rotate them immediately. If you copy examples, replace credentials with environment variables or prompt-based input.
- Ask the publisher for a source repository or homepage; lack of origin reduces trust. If you cannot verify the source, run the skill in an isolated environment or sandbox.
- Require the skill to declare required credentials (e.g., POSTIZ_EMAIL, POSTIZ_PASSWORD or an API token) instead of embedding them in docs, and prefer using an API token scoped to the account.
- If you do not want automatic network calls, set disableModelInvocation:true for this skill or only use it via explicit user-invocation.
- If you want further help, paste the contents of scripts/post.py and scripts/check_duplicates.py so they can be reviewed for risky patterns (shell execution, arbitrary remote hosts, secret exfiltration).
功能分析
Type: OpenClaw Skill
Name:
Developer:
Version:
Description: OpenClaw Agent Skill
Suspicious High-Entropy/Eval files: 2
The skill bundle is classified as suspicious primarily due to the presence of hardcoded credentials (email: `[email protected]`, password: `Postiz2026!`) in both the `SKILL.md` instructions and the Python scripts (`scripts/check_duplicates.py`, `scripts/post.py`). While these credentials appear to be for a specific, likely demo, instance (`https://postiz.home.mykuhlmann.com`), hardcoding credentials in a skill bundle is a significant security anti-pattern that exposes sensitive information. The skill otherwise aligns with its stated purpose of managing social media posts, with all network and file system access (e.g., `/tmp/postiz-cookies.txt` for session management) being directly related to interacting with the Postiz API. There is no evidence of prompt injection against the agent, data exfiltration to unrelated endpoints, or other malicious behaviors.
能力评估
Purpose & Capability
The name/description and SKILL.md consistently target the Postiz API and social posting workflows, and the included helper scripts align with that purpose. However, the skill declares no required credentials or primaryEnv even though the instructions require authenticating to a Postiz instance. That omission is a design inconsistency.
Instruction Scope
The runtime instructions directly instruct running curl commands against https://postiz.home.mykuhlmann.com and saving cookies to /tmp/postiz-cookies.txt. The SKILL.md contains a hard-coded login example including an email and plaintext password ([email protected] / Postiz2026!). Providing live credentials in the README is unsafe and could be used by the agent or anyone who copies the examples. The instructions also instruct uploading local files and reading local paths (e.g., /path/to/image.png), which are expected for the purpose but mean the skill will interact with user filesystem and an external host.
Install Mechanism
No install spec is provided (instruction-only), which reduces installer risk. However, the package does include two Python scripts (scripts/post.py and scripts/check_duplicates.py). The presence of on-disk scripts is consistent with the 'helper script' claim, but those files should be reviewed for network calls, subprocess execution, and any file-system or credential-handling behavior before trusting them.
Credentials
The skill declares no required environment variables or primary credential, yet the workflow requires authenticating to a Postiz instance (cookies or credentials) to operate. Example credentials are embedded in SKILL.md rather than being defined as required/optional env vars or secrets, which is poor practice and risks accidental credential reuse or leakage. The skill does not request unrelated cloud credentials, but the lack of explicit credential handling is disproportionate to secure usage.
Persistence & Privilege
The skill does not set always:true or disableModelInvocation:true, so the default is that the model may invoke it autonomously when eligible. Because the skill's instructions perform network operations against an external host and can upload media/read local file paths, allowing autonomous invocation plus external API access increases the risk of unintended data transmission. Consider disabling autonomous invocation or restricting the skill if you do not want the model to make external API calls without an explicit prompt.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install postiz-ext - 安装完成后,直接呼叫该 Skill 的名称或使用
/postiz-ext触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Full Postiz API: multi-platform posting, thread creation, media upload, slot finder, deduplication, platform-specific limits
v1.0.0
Extended Postiz skill with multi-platform posting, threads, dedup, content guidance
元数据
常见问题
Postiz Extended 是什么?
Schedule and manage social media posts via Postiz API (self-hosted or cloud). Direct API integration — no n8n dependency. Supports X/Twitter, LinkedIn, Bluesky with platform-specific character limits. Includes deduplication, scheduling, media upload, and thread creation. WHAT IT CAN DO: - Schedule posts to 28+ channels (X, LinkedIn, Bluesky, Reddit, Instagram, Facebook, Threads, YouTube, TikTok, Pinterest, Mastodon, and more) - Multi-platform posting in a single API call with platform-adapted content - X/Twitter thread creation for longer content - Media upload (file and URL) - Find next available posting slot per channel - List, query, update, and delete scheduled posts - Deduplication workflow (check existing before posting) - Platform-specific character limits and content tone guidance - Post state management (QUEUE, PUBLISHED, ERROR, DRAFT) - Helper script for quick posting with auto-validation USE WHEN: scheduling social media posts, creating multi-platform content, managing a posting calendar, uploading media for social posts, checking post status, creating X/Twitter threads, or automating social media workflows. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1462 次。
如何安装 Postiz Extended?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install postiz-ext」即可一键安装,无需额外配置。
Postiz Extended 是免费的吗?
是的,Postiz Extended 完全免费(开源免费),可自由下载、安装和使用。
Postiz Extended 支持哪些平台?
Postiz Extended 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Postiz Extended?
由 coolmanns(@coolmanns)开发并维护,当前版本 v1.0.1。
推荐 Skills