Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
X Twitter Command Center (Search + Post + Interact)
v1.0.6Searches and reads X (Twitter): profiles, timelines, mentions, followers, tweet search, trends, lists, communities, and Spaces. Publishes posts, likes/unlike...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, required binaries (curl, python3), and the single required env var (AISA_API_KEY) align with a Twitter/X read-and-post client that uses an external API (AIsa). The included Python clients implement the advertised read, engagement, and OAuth/posting capabilities.
Instruction Scope
The runtime instructions and code will upload local workspace media and user content to an external relay (api.aisa.one) and will request OAuth authorization in the browser so the relay can act on the user's behalf. The SKILL.md and README explain this behavior, but the skill does not declare TWITTER_RELAY_BASE_URL (used by the code) or explicitly call out that attachments and full post content will be transmitted to an external service in the metadata. Agent guardrails are present, but the agent is allowed to perform like/post/follow operations after OAuth — which is expected but increases risk if the relay or API key is untrusted.
Install Mechanism
No install spec; code is instruction-only with Python scripts provided. This is low-risk from an installation perspective (nothing is downloaded at install time), but included code will execute network requests at runtime.
Credentials
Only AISA_API_KEY is declared as required (which the skill uses for authorization). However, the code also reads TWITTER_RELAY_BASE_URL and TWITTER_RELAY_TIMEOUT environment variables (with defaults) but these are not documented in the SKILL metadata; the AISA_API_KEY will be sent as Bearer auth and sometimes included in POST bodies, so the key grants access to the relay endpoints and should be treated as sensitive.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. However, once a user completes OAuth in the browser the relay + API key combination allows the skill (and thus the agent, if invoked) to perform likes, follows, and posts on behalf of the user. Autonomous invocation is allowed by default — that increases blast radius if the agent is authorized and the relay is compromised, so the user should be explicit about authorizing and consider revocation policies.
What to consider before installing
Before installing, confirm you trust the external AIsa relay/service (api.aisa.one): the skill will send your AISA_API_KEY, post text, and any attached media to that service to perform reads, uploads, and OAuth-backed actions. Ask the publisher to document TWITTER_RELAY_BASE_URL explicitly (it's read by the code but not listed in the skill metadata). Understand that after you complete OAuth in the browser the agent+skill can like, follow, or post on your behalf — only authorize if you accept that behavior and have a way to revoke access (or use a scoped/test API key). If you’re unsure about trusting the relay, do not provide your real AISA_API_KEY or complete OAuth until you verify the service/operator.Like a lobster shell, security has layers — review code before you run it.
latestvk979ryj1bppyv5aekfcr1671a584cv96
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🐦 Clawdis
Binscurl, python3
EnvAISA_API_KEY
Primary envAISA_API_KEY