OpenClaw X
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the executable or local service mishandles the cookie file, it could act as the user's logged-in X/Twitter account, potentially including public posts or account interactions.
Browser cookies are live session credentials. The skill asks for them to be exported to a file used by the local service, but does not bound which cookies are needed, how they are protected, or how to revoke or clean them up.
Export your X cookies from Chrome (using Cookie-Editor extension), save as `cookies.json` in the same directory
Only use this with a trusted, verified executable and preferably a low-risk test account. Avoid exporting broad browser cookies unless you understand how they are stored, used, and removed.
An agent or local process that can reach the service may be able to post, like, retweet, or bookmark from the user's X/Twitter account while the service is running.
The documented API exposes account-mutating actions through simple local HTTP requests, but the artifact does not describe per-action user confirmation, authorization checks, or limits for these high-impact operations.
curl -X POST http://localhost:19816/tweet ...; curl -X POST http://localhost:19816/tweet/{tweet_id}/like; curl -X POST http://localhost:19816/tweet/{tweet_id}/retweetRequire explicit user approval before posting or engaging, restrict access to the local service, and review the exact request before any public account action is sent.
The reviewed skill text cannot show what the downloaded binary actually does with the user's X/Twitter session cookies or account actions.
The skill depends on an external executable that is not included in the reviewed artifacts. That executable is expected to receive exported account cookies and perform account actions, making provenance and review especially important.
Download the executable from [GitHub Release](https://github.com/bosshuman/openclaw-x/releases)
Verify the release source, signatures or checksums, and source code before running it. Do not provide session cookies to an unreviewed binary.