X Publisher
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent X posting tool, but it can directly publish, like, and delete account content with OAuth tokens and does not document confirmation safeguards.
Install only if you are comfortable giving the agent OAuth access to publish and manage content on your X account. Before use, require explicit approval of the exact tweet text and tweet IDs, avoid unattended posting, and ignore or fix the scheduling commands unless a reviewed scheduler is added.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong text or tweet ID, the agent could publicly post, like, or delete content on the connected X account.
The CLI directly executes public account-changing actions from command arguments, including posting, liking, and deleting, with no preview or confirmation step shown in the code or instructions.
if (cmd === 'post') await post(args.join(' ')); ... else if (cmd === 'like') await like(args[0]); else if (cmd === 'delete') await remove(args[0]);Use only with explicit user-approved text and IDs. Add a confirmation/preview requirement for post, thread, reply, quote, like, and delete actions, especially before deletion or public posting.
Anyone or any agent process with these environment variables can perform the supported X account actions through this script.
The skill requires OAuth credentials that can act as the user's X account. This is expected for the stated purpose, and the reviewed code does not show hardcoded credentials or unrelated transmission.
requires:\n env: [X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_SECRET]
Use the least-privileged X app/token available, keep tokens out of logs, and rotate or revoke them if the skill is no longer needed.
A user or agent may believe scheduled posting is supported or that a background process exists when the included code does not provide that capability.
SKILL.md advertises queue-and-cron scheduled posting, but the reviewed x-api.js command dispatcher only implements post, thread, reply, quote, like, delete, and timeline. This mismatch can mislead users about persistence and delayed posting behavior.
Schedule a tweet for later (saved to queue, posted by cron):
Remove the scheduling instructions or add a reviewed scheduler implementation with clear storage location, cron setup, approval rules, and cancellation controls.