Turn your OpenClaw into an autonomous social media manager using Post Bridge API. Use when scheduling, posting, or managing content across TikTok, Instagram...
Security Analysis
high confidenceThe skill is internally consistent with its stated purpose: it only requires ffmpeg and a Post Bridge API key (appropriate for uploading/processing media and calling the Post Bridge API) and contains instruction-only runtime steps — but you should still limit the API key scope and be mindful that the agent will be able to read/upload workspace files when used.
Name/description (social media manager using Post Bridge) align with requested items: POST_BRIDGE_API_KEY (primary credential) and ffmpeg (used for video frame extraction and processing). No unrelated credentials, binaries, or config paths are requested.
SKILL.md is an instruction-only runtime spec that tells the agent to list accounts, upload media, create/update/delete posts, and fetch analytics from api.post-bridge.com — all expected. It also instructs saving the API docs to the workspace and processing local video files (ffmpeg). Be aware: those instructions imply the agent will read workspace files (videos, .env) and upload media to the remote API. This is expected for the skill but is a privacy/exfiltration vector you should consider before granting access.
No install spec (instruction-only). Lowest-risk install posture — nothing is downloaded or written by an installer.
Only POST_BRIDGE_API_KEY is required and declared as the primary credential. That is proportionate to the task. The SKILL.md instructs storing the API key in a workspace .env — reasonable but be cautious if your workspace syncs to external storage or is shared.
always is false and there is no self-install behavior or requests to change other skills or system settings. disable-model-invocation is false (the agent can invoke the skill autonomously), which is normal for skills but means the agent could act without manual step-by-step approval unless you restrict agent autonomy elsewhere.
Guidance
This skill appears to do what it says, but before enabling it: 1) Only provide a Post Bridge API key with the minimal scope/permissions required (create/post/schedule) and avoid using broad admin keys. 2) Test first with a non-production/test social account to ensure posting behavior is correct. 3) Remember the skill's runtime instructions will let the agent read files in the workspace (videos, .env) and upload them — ensure sensitive files are not in that workspace or that workspace syncing is disabled. 4) Review Post Bridge's dashboard and token revocation procedures so you can quickly revoke the key if the agent posts unexpectedly. 5) If you do not want autonomous posting, restrict agent autonomy or require manual confirmation before executing post/create endpoints.
Latest Release
v1.0.7
- Adds new post creation options: `media_urls`, `is_draft`, `processing_enabled`, and `use_queue` for flexible scheduling and media sourcing. - Introduces `use_queue` for automatic scheduling to the next available slot from your configured social media queue. - Supports updating (`PATCH`) and deleting (`DELETE`) scheduled posts (only while status is `scheduled`). - Analytics endpoint expanded: now supports platform-wide queries, post result ID filters, and richer returned analytics (view, like, comment, and share counts). - Documentation for post result listing (`GET /v1/post-results`) and analytics syncing updated for improved clarity and broader coverage. - Tips and workflow sections updated to include queue-based posting options and new analytics tracking advice.
More by @jackfriks
Published by @jackfriks on ClawHub
