Twitter Post AIsa
PassAudited by ClawScan on May 8, 2026.
Overview
This skill is coherent for Twitter/X posting and engagement, but it can act on a social account through AIsa, so users should confirm targets, content, and uploads before use.
Before installing, confirm you trust AIsa with the API key, Twitter/X authorization, post content, and any media files you attach. Use the skill only for specific accounts, tweets, or campaigns, and require clear confirmation before likes, follows, replies, uploads, or posts.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could like, follow, reply, or post on Twitter/X when asked, affecting a public social account.
The skill can perform real Twitter/X engagement and posting actions, which are public external mutations. The behavior is disclosed and aligned with the stated purpose, but users should ensure each action is intentional.
Run Twitter/X likes, follows, replies, and OAuth-gated posting through AIsa.
Use only with explicit, user-confirmed targets and content; review replies, posts, follows, and media before approving them.
Anyone running the skill with the configured AIsa credential may be able to use the associated AIsa/Twitter authorization to perform permitted actions.
The skill requires a sensitive API key and uses OAuth-gated posting through a relay. This is expected for the integration, and the artifacts do not show password, cookie, or browser credential collection.
AISA_API_KEY is required for AIsa-backed API access.
Store the AISA_API_KEY securely, grant only the needed account access, and revoke or rotate credentials if they are no longer needed.
Attached images or videos, along with post text and target details, may be transmitted to AIsa for publishing.
Media attachments and post content are sent to the external AIsa relay before reaching Twitter/X. This data flow is disclosed and purpose-aligned, but users should understand that attached files leave the local workspace.
The Python client reads the local file and sends it to the relay backend as multipart/form-data.
Upload only files the user explicitly provided for posting, and avoid sending private or unrelated local files.