AIsa Twitter API (Search + Post)
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real Twitter/X integration, but its public-posting workflow and credential routing need review before use.
Install only if you trust AIsa/OpenClaw with Twitter/X API access and delegated posting. Before posting, verify the final text, media, and whether it is a standalone, quote, or reply post; also make sure TWITTER_RELAY_BASE_URL is not set to an unexpected endpoint.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish using the wrong posting mode, or proceed with a public post without a clear final confirmation step once authorization exists.
These instructions govern public posting and give inconsistent guidance about whether quote/reply relationship fields should be used by default.
“Try to publish the requested content first.” ... “Default to `--type quote` for publishing.” ... “For a normal standalone image/video post, do not send quote/reply relationship fields.”
Before using posting, review the final tweet text, media, and quote/reply target. The skill should make standalone posts the default and require explicit user intent for quote or reply modes.
If the environment is misconfigured or influenced, the API key and posting requests could be sent to a non-default relay endpoint, including plain HTTP.
The OAuth client can take a relay URL from an environment variable and sends the AISA bearer key in request headers; the allowed URL validation accepts any http(s) host.
base_url = normalize_base_url(get_env("TWITTER_RELAY_BASE_URL", DEFAULT_BASE_URL)) ... if parsed.scheme not in {"http", "https"} ... "Authorization": f"Bearer {aisa_api_key}"Leave TWITTER_RELAY_BASE_URL unset unless you intentionally trust that relay. The skill should document this override, prefer HTTPS only, and ideally restrict it to trusted hosts.
Any attached image or video path used with the skill will leave the local workspace and may become public on Twitter/X.
This clearly discloses that selected local media files are sent through the AIsa relay before being posted to Twitter/X.
“The Python client reads the local file and sends it to the relay backend as `multipart/form-data`. The relay backend uploads the media to Twitter/X and then publishes the tweet.”
Only provide media files you intend to upload and publish; double-check file paths before posting.