Mixpost
v1.0.0Mixpost is a self-hosted social media management software that helps you schedule and manage your social media content across multiple platforms including Facebook, Twitter/X, Instagram, LinkedIn, Pinterest, TikTok, YouTube, Mastodon, Google Business Profile, Threads, Bluesky, and more.
⭐ 7· 4k·11 current·11 all-time
by@lao9s
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, declared env vars (MIXPOST_URL, MIXPOST_ACCESS_TOKEN, MIXPOST_WORKSPACE_UUID), and all curl examples consistently target the Mixpost API surface. There are no unrelated environment variables, binaries, or config paths required that would be out of scope for a social-media-management integration.
Instruction Scope
SKILL.md contains only concrete curl examples for Mixpost API endpoints (accounts, media, tags, posts, etc.) and a simple setup step to export the three required env vars. The instructions do not ask the agent to read arbitrary system files, other env vars, or send data to endpoints outside the user-provided MIXPOST_URL. Note: some examples show uploading a local file (curl -F file=@/path/to/...), which implies access to local files if executed — this is expected for media upload functionality but is worth awareness.
Install Mechanism
No install spec and no code files are included. This reduces the surface area — nothing will be downloaded or written to disk by an install step.
Credentials
The three required env vars are proportional to the skill's purpose. MIXPOST_ACCESS_TOKEN is declared as the primary credential. There are no unrelated secrets requested. One general caution: MIXPOST_URL is user-supplied and could point to any host, so the token and workspace UUID will be valid against whatever URL is provided.
Persistence & Privilege
always:false (good). disable-model-invocation:false means the agent can call the skill autonomously — this is the platform default and necessary for agent-driven tasks. Keep in mind that with valid credentials the agent (if permitted by runtime) could perform state-changing actions (create posts, upload media) on your Mixpost instance; this is expected behavior for this skill but should be acceptable only if you trust the agent and the token's scope.
Assessment
This skill appears coherent and only needs your Mixpost URL, an access token, and a workspace UUID. Before installing: (1) only point MIXPOST_URL to a Mixpost instance you control or trust — credentials are sent to that URL; (2) treat MIXPOST_ACCESS_TOKEN as sensitive and prefer a token with minimal privileges and an expiration if possible; (3) be aware that if the agent is allowed to invoke the skill autonomously it can create/publish posts and upload files using those credentials; (4) rotate the token if you later revoke the skill's access and monitor your Mixpost audit/logs for unexpected activity.Like a lobster shell, security has layers — review code before you run it.
latestvk973bsakq3jgsp5d8vpctd0hb580exyg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🗓️ Clawdis
EnvMIXPOST_URL, MIXPOST_ACCESS_TOKEN, MIXPOST_WORKSPACE_UUID
Primary envMIXPOST_ACCESS_TOKEN