Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
twitter-aisa-api
v1.0.1Search and read Twitter/X profiles, tweets, trends, and Spaces via AISA relay, then publish posts with OAuth and approved media files using AISA_API_KEY.
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, SKILL.md, and Python clients are coherent: they implement read APIs and OAuth-based posting via the AISA relay (api.aisa.one). Requiring an AISA_API_KEY and python3 is proportionate to the stated capability. However, the registry-level top summary lists no required env vars or bins while SKILL.md and the scripts require AISA_API_KEY and python3 — this packaging/metadata mismatch is unexpected.
Instruction Scope
Runtime instructions in SKILL.md and references/post_twitter.md are scoped to searching, reading, and publishing via the relay. They explicitly require OAuth approval for posting, restrict media uploads to user-provided workspace files, and advise returning an authorization URL rather than collecting passwords or cookies. The scripts only reference workspace file paths for media and the AISA_API_KEY env var.
Install Mechanism
No install spec is provided (instruction-only packaging), and included code files are present in the bundle — nothing is downloaded from external URLs during install. This is low-install risk, but you should verify the included scripts before running.
Credentials
The code and SKILL.md require AISA_API_KEY (and the SKILL.md metadata lists python3). That single API key is proportionate to the skill's purpose. The concern is that the registry metadata at the top of the bundle incorrectly lists no required env vars or primary credential, which could cause accidental omission of required secrets by operators or mask the need to supply the API key. No other unrelated credentials are requested by the code.
Persistence & Privilege
The skill is not forced always-on (always: false) and uses normal autonomous invocation. SKILL.md claims no home-directory persistence or cookie scraping; the provided code appears to follow a relay/OAuth flow. You should still verify whether OAuth tokens are stored locally by the oauth client (not fully shown in truncated source) before trusting persistent behavior.
What to consider before installing
This package is generally coherent with its stated purpose (reads and posts via the AISA relay), but the top-level registry metadata does not list the required AISA_API_KEY or python3 even though SKILL.md and the scripts require them. Before installing or enabling: 1) verify the AISA_API_KEY comes from a trusted AISA operator and that you understand the key's permissions; 2) review the included scripts (twitter_oauth_client.py) for where OAuth tokens are stored or cached (ensure they are not silently written to unexpected locations); 3) be aware that publishing will upload any provided workspace media to https://api.aisa.one (the relay) and that network calls occur; 4) test in a sandboxed environment if possible; and 5) request the publisher to correct registry metadata so required env vars and binaries are declared. If you cannot confirm the relay operator or token handling, do not install or run the skill with real credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97b4swhr6pq4cn1f7tf4map7h84w99m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.