Twitter Post AIsa
PassAudited by ClawScan on May 7, 2026.
Overview
The skill appears to do what it claims—AIsa-backed X/Twitter posting and engagement—but it can publicly act on a social account and send approved content/media through AIsa.
Install only if you want AIsa to relay Twitter/X reads, likes, follows, replies, posts, and approved media uploads. Keep the AISA_API_KEY private, do not provide passwords or browser cookies, confirm every public action before execution, and revoke OAuth/API access if you stop using the skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or poorly reviewed invocation could like, follow, reply, upload media, or post publicly from an authorized X/Twitter account.
The skill can perform public engagement and posting actions, which are high-impact tool uses, but the artifacts disclose the behavior and instruct approval-oriented handling.
Run Twitter/X likes, follows, replies, and OAuth-gated posting through AIsa ... Do not make likes, follows, replies, or uploads sound silent or automatic.
Approve each target and post explicitly, and verify account handles, tweet IDs, text, and media before running engagement or posting commands.
Anyone or any agent with the configured AIsa API key and completed OAuth authorization may be able to perform the supported Twitter/X actions through AIsa.
The skill depends on a sensitive API key and OAuth-gated account authority, but it clearly identifies the required credential and explicitly discourages password/cookie use.
`AISA_API_KEY` is required for AIsa-backed API access. ... Provide only `AISA_API_KEY`; do not use passwords, cookies, or browser credential export.
Store the AISA_API_KEY securely, authorize only the intended account, do not provide Twitter passwords or cookies, and revoke the OAuth/API access when no longer needed.
Files and post content selected for upload are sent to AIsa before being published to X/Twitter.
Tweet content, OAuth flow data, and selected local media are routed through the AIsa relay; this is disclosed and purpose-aligned, but users should understand the data boundary.
The Python client reads the local file and sends it to the relay backend as `multipart/form-data`. ... Posting, OAuth, and approved media uploads are relay-based and go to `api.aisa.one`.
Only attach workspace files that are intended for posting, avoid sensitive/private files, and make sure you trust the AIsa relay endpoint before use.