postey
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local JavaScript file (
scripts/postey.js) using Node.js. The script is self-contained and uses only built-in Node.js modules (fs, path, os, readline) and the standard Fetch API. - [CREDENTIALS_UNSAFE]: No hardcoded credentials were found. The skill manages an API key by storing it in
~/.config/postey/config.jsonor a local./.postey/config.jsonfile. The setup process correctly applies restricted file permissions (0o600) and attempts to update the user's.gitignoreto prevent accidental credential leakage. - [PROMPT_INJECTION]: The
SKILL.mdfile contains safety-oriented instructions that explicitly tell the AI agent not to search for API keys in sensitive locations like the macOS Keychain,.envfiles, or system folders. These are protective measures, not malicious overrides. - [EXTERNAL_DOWNLOADS]: The skill references legitimate domains associated with the service (
postey.ai,srvr.postey.ai) and a public GitHub repository for updates. No suspicious or unverified third-party downloads are initiated. - [DATA_EXFILTRATION]: Network operations are limited to the official API endpoint (
https://srvr.postey.ai/v1) for the purpose of managing social media posts. There is no evidence of unauthorized data harvesting or transmission to unrelated third parties.
Audit Metadata