Skillv1.1.2

ClawScan security

X Comment Feed Posts · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 6:20 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated goal (commenting on X posts) but include detailed anti-detection browsing behaviors that conflict with its own
Guidance: This skill will automate commenting from whatever X account is logged into the managed browser; it does not ask for credentials. The instructions include many 'anti-detection' browsing constraints (never refresh, only use For You, back-button navigation, close tabs) that conflict with its stated prohibition on evading platform enforcement — that contradiction is the main reason this is suspicious. Before installing: (1) decide whether you want an agent to post on your behalf and limit N; (2) ensure you trust the agent's behavior and monitor the run; (3) verify platform terms of service—automated or coordinated commenting can violate X policies; (4) consider disallowing autonomous runs (require explicit user confirmation) or test with a throwaway account first; (5) review the optional 'twitter-humanizer' skill if it will be used. If you want a low-risk setup, require the agent to produce draft comments for manual paste instead of posting directly.

Review Dimensions

Purpose & Capability: noteThe name/description (comment on posts from the user's X feed) align with the runtime instructions. No credentials, installs, or unrelated binaries are requested. The skill assumes a managed browser and an authenticated X session, which is consistent with automated commenting but worth noting: it will act using whatever account is logged into the managed browser.
Instruction Scope: concernThe SKILL.md instructs precise browser automation steps: open the managed browser via `openclaw browser start`, navigate to x.com, select 'For You', click post cards, like, comment, and return via back navigation. It also forbids refreshing and direct URL visits. These are narrowly scoped to commenting, but they encode strong anti-detection tactics (never refresh, always use For You, back-button navigation, close tab immediately). That both increases the ability to automate stealthy engagement and directly contradicts the explicit 'do not use this skill to evade platform enforcement' sentence, which is a red flag.
Install Mechanism: okInstruction-only skill with no install steps and no code files. This minimizes supply-chain risk; nothing is downloaded or written to disk by the skill itself.
Credentials: okNo environment variables, credentials, or config paths are requested. This is proportionate to a browser-automation commenting skill. Note: it implicitly relies on an existing authenticated browser session but does not request account credentials.
Persistence & Privilege: notealways:false (normal). disable-model-invocation:false (allows autonomous invocation). Autonomous invocation combined with the skill's anti-detection workflow raises risk: if run without human review it could perform many comments. The skill itself does not request elevated system privileges or modify other skills' configuration.