ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AIsa Twitter Post Engage

v1.0.0

Search X/Twitter profiles, tweets, trends, and OAuth-gated posting through AIsa. Use when: the user needs Twitter research, monitoring, or engagement workflo...

0· 22·0 current·0 all-time
by@baofeng-tech
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentialsPosts externally
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask for Twitter search, monitoring, engagement, and OAuth posting. The package only requires python3 and AISA_API_KEY and contains clients that call a relay at api.aisa.one for read, engagement, and OAuth/posting endpoints — this matches the stated purpose.
Instruction Scope
SKILL.md directs the agent to run the provided scripts under scripts/ and to use AISA_API_KEY for relay access. The instructions limit behavior (don’t request passwords, return auth links, pass local workspace file paths as --media-file). The runtime instructions and the scripts’ visible behavior (HTTP requests to api.aisa.one, optional webbrowser open, multipart media uploads) stay within the declared Twitter engagement/posting scope.
Install Mechanism
No install spec is present (instruction-only packaging with bundled scripts). No external downloads or archive extraction are performed. Runtime is limited to local Python scripts included in the package.
Credentials
Only AISA_API_KEY is required and declared as primaryEnv. The code reads that single env var for authorization. No unrelated secrets, cloud credentials, or home-directory config paths are requested.
Persistence & Privilege
always is false and the skill is user-invocable. The package and SKILL.md explicitly avoid requesting persistent secrets (no passwords or cookie-based login). The references state relay-backed posting and no home-directory persistence; there is no evidence the skill force-enables itself or modifies other skills.
Assessment
This skill delegates all network actions to a relay at api.aisa.one and requires a single secret, AISA_API_KEY — treat that like an API key. If you plan to install, confirm you trust api.aisa.one (privacy, retention, and access policies) because attachments (workspace media files) and post content are sent to that relay for upload/publication. The skill will never ask for your Twitter password or cookies; only provide OAuth approval via the relay flow when you deliberately authorize. If you need higher assurance, review the full oauth client code (scripts/twitter_oauth_client.py) for any local persistence of tokens before using in sensitive environments.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🐦 Clawdis
Binspython3
EnvAISA_API_KEY
Primary envAISA_API_KEY
latestvk977yx9a0d5vmk422yxtd0nm29858g49
22downloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0
@baofeng-tech
latest
Download

AIsa Twitter Post Engage

Search X/Twitter profiles, tweets, trends, and OAuth-gated posting through AIsa. Use when: the user needs Twitter research, monitoring, or engagement workflows. Supports search, monitoring, and approved posting.

When to use

  • The user needs Twitter/X research, monitoring, posting, or engagement workflows.
  • The user wants profiles, timelines, trends, lists, communities, or Spaces.
  • The user wants approved posting without sharing passwords.

High-Intent Workflows

  • Research an account or conversation thread.
  • Monitor a keyword, trend, or competitor.
  • Authorize and publish a post after explicit approval.

Quick Reference

  • python3 scripts/twitter_client.py --help
  • python3 scripts/twitter_engagement_client.py --help
  • python3 scripts/twitter_oauth_client.py --help

Setup

  • AISA_API_KEY is required for AIsa-backed API access.
  • Use repo-relative scripts/ paths from the shipped package.
  • Prefer explicit CLI auth flags when a script exposes them.

Example Requests

  • Research recent AI agent conversations on X
  • Search how users are reacting to a product launch on Twitter
  • Authorize and publish a short product update post

Guardrails

  • Do not ask for passwords, cookies, or browser credentials.
  • Do not claim posting succeeded until the API confirms it.
  • Return authorization links instead of relying on auto-open behavior.

Comments

Loading comments...