postey

Based on the SKILL.md alone, the skill's stated purpose, required credentials, and data flows are internally consistent and proportionate for a social media posting tool. There are no explicit malicious instructions, suspicious third-party download sources, or known exfiltration endpoints in this documentation. The primary residual risk is the actual implementation of ./scripts/postey.js (not provided): because the agent is allowed to execute that script, the script could, if malicious or compromised, exfiltrate config files or credentials or call unexpected endpoints. Recommend reviewing the ./scripts/postey.js source and any runtime dependencies before granting the skill execution permissions. Also recommend encouraging secure storage of API keys (OS keychain or encrypted secrets) rather than plaintext config files when possible.