AIsa Twitter Command Center
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: aisa-twitter-command-center Version: 1.0.3 The skill bundle provides a legitimate interface for interacting with Twitter/X via the AIsa relay service (api.aisa.one). The Python scripts (twitter_client.py and twitter_oauth_client.py) use standard libraries to perform read and write operations, with clear logic for handling OAuth and media uploads. The instructions in SKILL.md and references/post_twitter.md include appropriate guardrails, such as explicitly forbidding the agent from asking for user passwords or cookies.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked for publishing, the agent can create posts, replies, quotes, or media posts on the authorized account.
The skill can perform public, account-changing actions on Twitter/X, but the capability is disclosed and tied to OAuth approval and user publishing intent.
Publish text, image, and video posts after explicit OAuth approval.
Use it only for clear publish requests, review the exact text/media/account before posting, and do not treat research or drafting requests as publish approval.
Anyone or any agent process with the key may be able to call the configured AIsa Twitter/X relay capabilities.
The skill requires a bearer credential for the AIsa relay, which is expected for this integration but grants access to relay-backed Twitter/X functions.
Required secret: `AISA_API_KEY`.
Store the API key securely, use the least-privileged key available, and revoke or rotate it if the environment is shared or compromised.
Images or videos selected for posting leave the local workspace and are sent to api.aisa.one before being uploaded to Twitter/X.
Selected local media files are uploaded to the AIsa relay for posting; this data flow is disclosed and scoped to user-provided workspace files.
The Python client reads the local file and sends it to the relay backend as `multipart/form-data`.
Only provide media files you intend to publish, and verify file paths are workspace attachments rather than unrelated local files.
A user or agent could be confused about whether non-OAuth cookie/proxy login methods are appropriate.
Most artifacts describe an OAuth-only/no-cookies workflow; this exception creates minor ambiguity, though no cookie-handling implementation is shown.
Do not use cookie-based login or proxy-based login unless the user explicitly asks for legacy behavior.
Stick to the documented OAuth flow and avoid password, cookie, proxy, or browser-session login methods unless separately reviewed.