Mia Twitter Stealth
MaliciousAudited by ClawScan on May 10, 2026.
Overview
This skill is designed to automate Twitter/X account actions while hiding from bot detection and using raw account session tokens.
Do not install this skill for a real X/Twitter account. It is explicitly built to hide automation from bot-detection systems, asks for raw account tokens, and references unreviewed external tooling.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using it could put the user's X/Twitter account at risk of restriction or ban and may enable spam-like or abusive activity.
The skill's stated goal is to evade a platform's bot-detection controls rather than simply automate a disclosed user workflow.
Twitter/X automation with advanced stealth techniques to avoid bot detection.
Do not use skills that advertise evading platform detection; prefer official APIs and automation that complies with the service's rules.
The agent could create posts, replies, likes, and follows from the user's account, potentially harming reputation or violating platform rules.
These examples authorize public account actions and multi-target liking/following, which are high-impact social-media mutations when paired with stealth automation.
mia-twitter post "Hello world" mia-twitter reply <tweet-id> "Great post!" mia-twitter like --search "AI agents" --limit 10 mia-twitter follow --search "founder" --limit 5
Avoid installing unless every account action is explicitly user-approved, rate-limited by enforceable code, and compliant with the platform's automation policies.
Providing these values may grant broad control over the user's X/Twitter account to an unreviewed automation flow.
The skill requires raw X/Twitter session or auth values, but the registry metadata declares no credentials or required environment variables.
- X_AUTH_TOKEN env var - X_CT0 env var
Do not provide raw session tokens to this skill; use narrowly scoped, revocable OAuth credentials only with reviewed code and clear handling rules.
A logged-in automation session may persist beyond a single task and continue to support stealthy account activity.
Persistent browser/session storage combined with automatic backoff when flagged is designed to keep automated account activity viable after detection signals.
Session Persistence - Cookie storage - LocalStorage persistence - User data directory Cooldown Management - Rate limit tracking - Automatic backoff - 24h cooldown if flagged
Reject or remove persistence-based stealth automation unless storage paths, cleanup, and user-controlled session revocation are clearly implemented and reviewed.
The actual command implementation is unknown, so users cannot verify what code would receive their tokens or control their account.
The artifact provides no reviewed implementation or installation source even though SKILL.md tells users to run a `mia-twitter` command with account credentials.
No install spec — this is an instruction-only skill.
Do not run an unreviewed external CLI for account automation; require source code, pinned dependencies, and a transparent install path before use.