postiz

The skill is largely coherent with its stated purpose: install Postiz, authenticate with a Postiz API key, upload media, and publish or analyze posts through Postiz. It is not strongly indicative of malware, but it carries meaningful security risk because it enables autonomous public posting/deletion, can upload local files, and allows API traffic to be redirected via a custom API URL. The unrelated recommendation to use `agent-media` adds avoidable third-party trust risk. Overall classification: SUSPICIOUS due to real-world action capability and expanded trust surface, not because of clear credential theft or hidden exfiltration.