We checked this and rejected itprivacy

Social Media Skills: why it is not safe to use

Social Media Skills cleared our review at 86/100 with two privacy cautions: some skills call third-party APIs, and one uploads your video files to Google.

What we found

Most of this skill checked out clean. We saw no hidden or manipulative instructions, no data sent to attacker-controlled endpoints, no hardcoded secrets, no destructive shell commands, and no obfuscated payloads. The 'never show below 95' line is a quality gate, not a way to conceal data.

Two items warrant a caution. A few skills (post-scorer, reels-scripting, niche-research) reach out to third-party services: Apify, Google Gemini, and general web fetches. Notably, reels-scripting uploads your downloaded .mp4 files to Google for analysis, so that footage leaves your device. These skills also read `APIFY_API_TOKEN` and `GOOGLE_AI_API_KEY` from your environment. We found them used only for their intended APIs, with no sign of the tokens going anywhere else.

What to do instead

Run these skills with your own API keys, and treat those keys as you would any other secret. Before using reels-scripting, decide whether you are comfortable sending that video to Google, since its terms then apply. If a clip is sensitive, keep it local and skip the upload step.

Want the same outcome, safely? Use our checked skill instead.

Source: https://github.com/charlie947/social-media-skills

We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.

Copied to clipboard. Go back to ChatGPT or Claude and paste it to teach the skill.