Twitter Autopilot
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill largely matches its Twitter/X automation purpose, but needs review because one script appears to contain a hardcoded API key and the skill can perform public Twitter actions after OAuth.
Review this skill before installing. The Twitter/X functionality is clearly related to its purpose, but do not use this release until the apparent hardcoded API key is removed and rotated. If you proceed later, use your own AISA_API_KEY, authorize only an account you are comfortable automating, and carefully review any post, media upload, like, follow, or unfollow action before it runs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The package may contain an active API key or use a credential the user did not provide, which can create billing, abuse, or account-boundary issues.
The skill declares AISA_API_KEY as the credential source, so an apparent literal API key in the bundled script is an undeclared credential and exposes or reuses authority outside the documented boundary.
Static scan at line 304: client = TwitterClient(api_key=[REDACTED])
Do not use this release until the hardcoded key is removed, the exposed credential is rotated, and the script uses only the documented AISA_API_KEY configuration.
If invoked on the wrong content or account, the agent could publish posts or perform likes/follows visible to others.
These are public, account-mutating Twitter/X actions. They are disclosed and purpose-aligned, but users should notice that the skill can change public account state once authorized.
Also supports posting, liking/unliking tweets, and following/unfollowing users after the user completes OAuth authorization.
Use explicit instructions for each public action, review post content and targets before execution, and revoke OAuth access if you no longer need the skill.
Any attached image or video selected for posting will leave the local workspace and be sent to the relay/Twitter service.
The skill sends selected local media files through the AIsa relay backend to publish them on Twitter/X. This is disclosed and expected for media posting, but it is still an external data transfer.
The Python client reads the local file and sends it to the relay backend as multipart/form-data.
Only attach files you intend to publish, avoid private media, and verify the relay URL if using TWITTER_RELAY_BASE_URL.