Is postiz safe?

Multiple JavaScript and shell examples demonstrate constructing shell commands by directly interpolating variables into command strings passed to execSync(). For example, Pattern 5 builds: postiz posts:create -c "${content}" ... --settings '${JSON.stringify(settings)}' -i "${integrationId}". If an agent copies this pattern with user-supplied content, shell metacharacters in the content could lead to command injection.

The skill declares allowed-tools as Bash(postiz:*), which grants the agent permission to execute any shell command matching the postiz prefix. While this is appropriately scoped for the CLI's functionality, it still grants shell execution capability that could be misused if the tool permission matching is loosely implemented.

The skill's homepage field points to https://docs.postiz.com/public-api/introduction. While the skill does not instruct the agent to fetch this URL, an overly helpful agent might visit it, potentially exposing the agent to content at that URL.

The postiz upload command sends local files to the Postiz CDN (cdn.postiz.com). While this is intended functionality, it creates a data exfiltration channel if an agent is socially engineered into uploading sensitive files.

An agent using this skill could inadvertently post sensitive information to public social media platforms. The skill creates posts across 28+ platforms simultaneously, amplifying the impact of any accidental data exposure.

The skill contains over 1000 lines of documentation across multiple files with numerous executable code examples. While thorough, the volume of content increases the surface area for an agent to follow potentially unsafe patterns.

The package.json file appears to be empty, meaning there are no npm dependencies or install scripts. This is actually a positive finding — no supply chain risk from dependencies.