Openclaw Twitter Post Engage
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-twitter-post-engage-slot3 Version: 1.0.3 The skill bundle provides a well-structured and transparent interface for Twitter/X operations (reading, posting, and engagement) via the AISA relay API (api.aisa.one). The Python scripts (twitter_client.py, twitter_oauth_client.py, and twitter_engagement_client.py) use standard libraries and implement robust security guardrails, such as mandatory OAuth authorization for write actions and explicit instructions for the AI agent to obtain user approval via confirmation artifacts before execution. There is no evidence of data exfiltration, obfuscation, or unauthorized local execution; the required AISA_API_KEY and file access for media uploads are strictly aligned with the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved incorrectly, the agent could post content, upload media, like tweets, or follow accounts on the user’s behalf.
The skill can perform public Twitter/X write and engagement actions. This is purpose-aligned and disclosed, with explicit approval requirements, but misuse could affect the user’s public account.
Publish text, image, and video posts after explicit OAuth approval. Like, unlike, follow, and unfollow through the engagement client once authorization exists.
Only approve a final confirmation artifact that names the exact action, account or tweet, text, and media files; do not allow broad or ambiguous approvals.
The configured credentials and OAuth approval allow the relay-backed client to make authorized Twitter/X requests for the user.
The skill requires an AISA API key and OAuth authorization to act through the relay. This is expected for the service integration but grants delegated account authority.
Required env: `AISA_API_KEY` ... Obtain OAuth authorization before any write action.
Use only a trusted AISA key, authorize only the intended Twitter/X account, and revoke OAuth access when no longer needed.
Attached images, videos, post text, and related request data may be sent to api.aisa.one during approved posting workflows.
Approved media uploads and posting content are transmitted to the AISA relay. This is disclosed and purpose-aligned, but it sends user-selected local files/content to a third-party service.
The Python client reads the local file and sends it to the relay backend as `multipart/form-data`.
Upload only files you intentionally want to publish, verify each file path in the confirmation artifact, and avoid approving private or unrelated local files.