X/Twitter All-in-One: 30+ APIs, OAuth Post, One Key
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured and authorized, the skill can publish public Twitter/X posts on the authorized account when invoked.
The skill requires an AIsa API key and uses OAuth to publish to the user's Twitter/X account, which is expected for this purpose but grants delegated account authority.
Publishes posts after the user completes OAuth in the browser... requires... env ["AISA_API_KEY"]
Use a dedicated API key if possible, authorize only the intended account, and revoke OAuth access when you no longer need the skill.
If TWITTER_RELAY_BASE_URL is changed to an untrusted or non-HTTPS endpoint, the API key and posting payload could be sent there.
The OAuth client can use a custom relay URL from the environment and will send the bearer API key to that configured relay.
get_env("TWITTER_RELAY_BASE_URL", DEFAULT_BASE_URL)... "Authorization": f"Bearer {aisa_api_key}"Leave TWITTER_RELAY_BASE_URL unset unless you intentionally use a trusted relay, and prefer HTTPS-only endpoints.
A post could be sent publicly, and users should ensure the intended standalone, quote, or reply behavior is clear before using it for important posts.
The skill is meant to post when the user asks, but the reference contains some ambiguity about quote/reply defaults for public posting commands.
Try to publish the requested content first... Default to `--type quote` for publishing... For a normal standalone image/video post, do not send quote/reply relationship fields.
For sensitive posts, explicitly tell the agent whether to draft, post, quote, or reply, and ask for confirmation before publishing if you want an extra review step.
Any attached media and post text are shared with the relay provider and then Twitter/X as part of publishing.
Selected local media files are routed through the AIsa relay backend before being posted to Twitter/X.
The Python client reads the local file and sends it to the relay backend as `multipart/form-data`. The relay backend uploads the media to Twitter/X and then publishes the tweet.
Only attach files you intend to upload publicly, and avoid using private or sensitive local file paths.
Users have less provenance information for independently auditing the skill origin.
The registry metadata does not identify a source repository or provenance, although no install script or remote package installation is shown.
Source: unknown
Prefer installing from publishers you trust and review the included files before authorizing account access.