AIsa Twitter API (Search + Post)
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: aisa-twitter-api Version: 1.0.1 The skill bundle is a well-structured Twitter/X API wrapper for the AIsa service (aisa.one). It provides comprehensive read and write capabilities, including tweet searching, user analytics, and OAuth-based posting with media support. The Python scripts (twitter_client.py and twitter_oauth_client.py) use standard libraries to communicate with the official AIsa API endpoints and include robust logic for handling multi-chunk threaded posts. The documentation (SKILL.md and post_twitter.md) provides clear operational instructions and security guardrails for the AI agent, such as explicitly forbidding the collection of user passwords.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish using the wrong posting mode, or proceed with a public post without a clear final confirmation step once authorization exists.
These instructions govern public posting and give inconsistent guidance about whether quote/reply relationship fields should be used by default.
“Try to publish the requested content first.” ... “Default to `--type quote` for publishing.” ... “For a normal standalone image/video post, do not send quote/reply relationship fields.”
Before using posting, review the final tweet text, media, and quote/reply target. The skill should make standalone posts the default and require explicit user intent for quote or reply modes.
If the environment is misconfigured or influenced, the API key and posting requests could be sent to a non-default relay endpoint, including plain HTTP.
The OAuth client can take a relay URL from an environment variable and sends the AISA bearer key in request headers; the allowed URL validation accepts any http(s) host.
base_url = normalize_base_url(get_env("TWITTER_RELAY_BASE_URL", DEFAULT_BASE_URL)) ... if parsed.scheme not in {"http", "https"} ... "Authorization": f"Bearer {aisa_api_key}"Leave TWITTER_RELAY_BASE_URL unset unless you intentionally trust that relay. The skill should document this override, prefer HTTPS only, and ideally restrict it to trusted hosts.
Any attached image or video path used with the skill will leave the local workspace and may become public on Twitter/X.
This clearly discloses that selected local media files are sent through the AIsa relay before being posted to Twitter/X.
“The Python client reads the local file and sends it to the relay backend as `multipart/form-data`. The relay backend uploads the media to Twitter/X and then publishes the tweet.”
Only provide media files you intend to upload and publish; double-check file paths before posting.