X/Twitter Automation: 30+ APIs, OAuth Post, One Key
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Twitter/X automation skill, but users should understand that it can post publicly through OAuth and send selected media through the AIsa relay.
Install this only if you are comfortable using AIsa as the Twitter/X relay and granting OAuth posting access. Review posts and attachment paths before publishing, avoid private media, and confirm that TWITTER_RELAY_BASE_URL is unset or points to a trusted HTTPS relay.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misunderstood or overly broad publish request could result in a public tweet, reply, quote, or thread.
The agent is instructed to invoke a public posting action once it interprets the user's intent as publishing. This is purpose-aligned, but public posting is a high-impact tool action.
When the user asks to publish content to X/Twitter: ... Try `post` first when the user intent is to publish content.
Use clear wording when asking it to post, and request a preview or confirmation for sensitive, brand, legal, or personal content.
Once authorized, the skill can publish content using the connected Twitter/X account when instructed.
The skill obtains delegated authority to publish through a Twitter/X account after OAuth. This is central to the stated posting feature, but it is account-level authority.
After the user completes authorization, publish using the authorized account.
Authorize only the intended account, review the OAuth permissions, and revoke access when you no longer need the skill.
Attached images or videos leave the local workspace and are shared with the relay service and Twitter/X.
Selected local workspace media files are transmitted to the AIsa relay and then to Twitter/X as part of the posting flow.
The Python client reads the local file and sends it to the relay backend as `multipart/form-data`. The relay backend uploads the media to Twitter/X and then publishes the tweet.
Attach only files you intend to publish, verify file paths before posting, and avoid sending private or sensitive media.
If TWITTER_RELAY_BASE_URL is set to an unexpected host, post content, media requests, and the AISA API key could be sent there.
The OAuth client can use an environment-supplied relay URL, and requests include the AISA API key in the Authorization header. This is a configurable data boundary users should know about.
base_url = normalize_base_url(get_env("TWITTER_RELAY_BASE_URL", DEFAULT_BASE_URL)) ... "Authorization": f"Bearer {aisa_api_key}"Leave TWITTER_RELAY_BASE_URL unset unless you intentionally use a trusted relay, and prefer HTTPS endpoints.