X/Twitter by altf1be
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong text, file, reply target, or media, the agent could publish unwanted public content from the user's account.
The code creates tweets through the X API, confirming the skill can mutate the user's public X/Twitter account as its main function.
const result = await apiRequest('POST', `${API_BASE}/tweets`, body);Only use this skill when you intend to publish. Review tweet/thread text, media paths, and reply IDs before allowing the agent to run the posting command.
Anyone or any agent process with access to these environment variables may be able to post using the configured X account.
The skill requires OAuth credentials that authorize actions as the user's X/Twitter account.
X_CONSUMER_KEY=your-api-key X_CONSUMER_SECRET=your-api-secret X_ACCESS_TOKEN=your-access-token X_ACCESS_TOKEN_SECRET=your-access-token-secret
Use least-privileged X API tokens where possible, protect the .env file, avoid committing credentials, and rotate tokens if they may have been exposed.
Installation will fetch packages from the npm ecosystem unless already present, adding ordinary dependency supply-chain exposure.
The skill asks users to install Node dependencies even though the registry says there is no install spec. The included package files list only commander and dotenv, which are purpose-aligned, but npm installation still relies on package provenance.
Install dependencies: `cd {baseDir} && npm install`Install from the reviewed package directory, keep the lockfile intact, and review dependency changes before upgrading.