ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

twitter-aisa

v1.0.2

Search and retrieve Twitter/X profiles, tweets, trends, and Spaces via AISA relay, and publish approved posts with OAuth without sharing passwords.

0· 89·0 current·0 all-time
by@bibaofeng

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for bibaofeng/twitter-aisa.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "twitter-aisa" (bibaofeng/twitter-aisa) from ClawHub.
Skill page: https://clawhub.ai/bibaofeng/twitter-aisa
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install twitter-aisa

ClawHub CLI

Package manager switcher

npx clawhub@latest install twitter-aisa
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentialsPosts externally
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name, SKILL.md, and included Python clients all implement Twitter/X read and OAuth posting via the AISA relay (https://api.aisa.one). The requested secret (AISA_API_KEY) is appropriate for a relay-based client. However, the registry-level summary at the top claims no required env vars or binaries while SKILL.md and the scripts require python3 and AISA_API_KEY — an inconsistent manifest entry.
Instruction Scope
Runtime instructions are focused on read operations and OAuth-backed posting and explicitly require uploading user-supplied workspace media files as multipart/form-data to the relay. The scripts access only environment variables (AISA_API_KEY), local workspace files for media, and call webbrowser optionally. There is no instruction to read unrelated system files or secrets—but the workflow does send user-provided attachments and OAuth flows to the external relay, which is expected but privacy-relevant.
Install Mechanism
This is an instruction-only release with no install spec; scripts run directly with python3. That reduces installation risk because nothing is downloaded or installed at runtime by the skill itself.
!
Credentials
The only runtime secret the skill needs is AISA_API_KEY, which is proportionate to a relay-based Twitter client. The concern is the manifest inconsistency: the top-level registry data lists 'Required env vars: none' while SKILL.md and the code require AISA_API_KEY (and declare it as primaryEnv). Also, providing AISA_API_KEY grants the relay permission to act on your behalf — you should confirm the relay operator is trusted before supplying it.
Persistence & Privilege
The skill does not request always: true, does not modify other skills or system configs, and has no install-time persistence. It only runs as a user-invoked skill (normal).
What to consider before installing
This package appears to implement what it says: a Twitter/X client that routes reads and OAuth-backed posting through api.aisa.one. Before installing, verify the skill's provenance (there's no authoritative homepage/source in the registry and the publisher identity is opaque). Be aware that any workspace media files and OAuth approvals will be uploaded to the relay (api.aisa.one) and that you must provide an AISA_API_KEY to use it — only supply that key if you trust the relay operator. Also note the registry metadata is inconsistent (it doesn't declare the required AISA_API_KEY and python3 even though SKILL.md and the scripts require them); ask the publisher to correct manifest fields or provide a verifiable homepage/source before broad use. If you cannot verify the relay, consider using an official Twitter/X API integration or running these scripts in an isolated environment and reviewing the code yourself.

Like a lobster shell, security has layers — review code before you run it.

latestvk977n8m5b1m9bkzd44zkw2060s84xtg5
89downloads
0stars
3versions
Updated 1w ago
v1.0.2
MIT-0
@bibaofeng
latest
Download

OpenClaw Twitter

Runtime-focused release bundle for Twitter/X search and posting through the AISA relay.

When to use

  • The user wants to read profiles, timelines, mentions, followers, tweet search results, trends, lists, communities, or Spaces.
  • The user wants to draft or publish posts after completing OAuth without sharing passwords.
  • The task needs a Python client for repeatable Twitter/X automation backed by AISA_API_KEY.

When NOT to use

  • The user needs cookie extraction, browser credential scraping, or direct password login.
  • The workflow must avoid sending requests, OAuth state, or approved media through api.aisa.one.
  • The request is for likes, follows, or other engagement actions not covered by this package.

Quick Reference

  • Required env: AISA_API_KEY
  • Read client: ./scripts/twitter_client.py
  • Post workflow guide: ./references/post_twitter.md

Setup

export AISA_API_KEY="your-key"

All network calls go to https://api.aisa.one/apis/v1/....

Capabilities

  • Read user data, timelines, mentions, followers, followings, verified followers, and follow relationships.
  • Search tweets and users, inspect replies, quotes, retweeters, thread context, and Spaces.
  • Publish text, image, and video posts after explicit OAuth approval.
  • Split long posts into threaded chunks when the publish script needs it.

Common Commands

python3 {baseDir}/scripts/twitter_client.py user-info --username elonmusk
python3 {baseDir}/scripts/twitter_client.py search --query "AI agents" --type Latest
python3 {baseDir}/scripts/twitter_client.py trends --woeid 1
python3 {baseDir}/scripts/twitter_oauth_client.py status
python3 {baseDir}/scripts/twitter_oauth_client.py authorize
python3 {baseDir}/scripts/twitter_oauth_client.py post --text "Hello from OpenClaw"

Posting Workflow

When the user asks to send, publish, reply, or quote on X/Twitter, follow ./references/post_twitter.md.

  • Return the authorization link first when posting is not yet approved.
  • Use --media-file only for user-provided workspace files.
  • Do not invent captions, remote URLs, or extra media attachments.

ClawHub Suspicious Review Notes

These points summarize the common reasons similar skills are marked Suspicious and how this release addresses them:

  • The package is relay-based: read calls, OAuth requests, and approved media uploads go to api.aisa.one.
  • The package is API-key-first: it requires AISA_API_KEY and does not ask for passwords, cookies, CT0, or other legacy secrets.
  • The release bundle is runtime-only: it keeps SKILL.md, scripts/, and the posting reference, while omitting non-runtime files such as README.md and _meta.json.
  • The package does not include cache sync, self-install logic, home-directory persistence, browser-cookie extraction, or external agent CLI wrappers.
  • Browser opening is optional and not the default workflow; returning the authorization link is the preferred path for OpenClaw.

Release Bundle Notes

  • scripts/twitter_client.py preserves the read API surface from the original bundle.
  • scripts/twitter_oauth_client.py preserves OAuth and posting behavior from the original bundle.
  • This package is optimized for publication metadata and upload safety, not for changing runtime logic.

Comments

Loading comments...