Postiz Extended

Schedule and manage social media posts via Postiz API (self-hosted or cloud). Direct API integration — no n8n dependency. Supports X/Twitter, LinkedIn, Bluesky with platform-specific character limits. Includes deduplication, scheduling, media upload, and thread creation. WHAT IT CAN DO: - Schedule posts to 28+ channels (X, LinkedIn, Bluesky, Reddit, Instagram, Facebook, Threads, YouTube, TikTok, Pinterest, Mastodon, and more) - Multi-platform posting in a single API call with platform-adapted content - X/Twitter thread creation for longer content - Media upload (file and URL) - Find next available posting slot per channel - List, query, update, and delete scheduled posts - Deduplication workflow (check existing before posting) - Platform-specific character limits and content tone guidance - Post state management (QUEUE, PUBLISHED, ERROR, DRAFT) - Helper script for quick posting with auto-validation USE WHEN: scheduling social media posts, creating multi-platform content, managing a posting calendar, uploading media for social posts, checking post status, creating X/Twitter threads, or automating social media workflows.

What to check before installing or running this skill: - Provenance: the skill source/homepage is unknown. Prefer code from a known repo or vendor. Ask the publisher for a canonical source or verify the package on a trusted registry. - Metadata mismatch: the registry metadata claims no required env vars, but SKILL.md and the scripts require POSTIZ_URL, POSTIZ_EMAIL, POSTIZ_PASSWORD and integration IDs. Treat that as a red flag and do not expose real credentials until you verify origin. - Least privilege: if possible, use an integration-specific API token (Postiz may offer tokens) instead of your full account password. If only password auth is available, create a dedicated account with minimal rights. - Cookie handling: the scripts save session cookies to /tmp/postiz-cookies.txt. /tmp is shared and files can be accessible to other local users; consider changing the cookie path to a restricted location (e.g., in your user home with restrictive permissions) or delete the cookie file after use. - Feature claims: the description promises 28+ channels but bundled code explicitly handles 3 platforms. If you need broader channel support, confirm whether the Postiz instance (server) provides it and whether the skill will correctly map arbitrary integration IDs, or update the scripts to handle additional types. - Execution policy: because the repo includes executable Python scripts, prefer to run them manually in an isolated environment first (local VM/container) rather than granting the agent autonomous invocation with your real credentials. You can also audit the scripts line-by-line (they are short) or run them with a test Postiz instance. - If you proceed: restrict credentials, test with non-sensitive/test accounts, inspect network traffic (or run against a staging Postiz) to confirm no unexpected endpoints are called, and remove stored cookies/credentials after testing. If you want, I can: (1) summarize exactly where in the code credentials are used and where the cookie file is written, (2) suggest minimal code changes to reduce risk (save cookies under user-only permissions, use token auth), or (3) produce a checklist to verify Postiz instance endpoints before handing over credentials.

Type: OpenClaw Skill Name: postiz-extended Version: 1.3.0 The OpenClaw skill bundle is benign. All observed behaviors, including reading environment variables for API credentials, saving session cookies to `/tmp/postiz-cookies.txt`, making network requests to the configured `POSTIZ_URL`, and uploading specified media files, are directly aligned with its stated purpose of scheduling and managing social media posts via the Postiz API. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the AI agent in the `SKILL.md` or code.