twitterapi-io
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a real Twitter/X API integration, but it gives an agent broad account-changing powers and asks for sensitive Twitter login/session credentials without strong built-in confirmation or containment guidance.
Install only if you are comfortable letting an agent use TwitterAPI.io with your Twitter/X account authority. Keep read-only searches separate from write actions, require explicit confirmation before every post/DM/follow/delete/profile change, avoid using a primary account or long-lived cookies where possible, and watch for credit costs and persistent monitoring rules.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected with valid credentials, an agent could take visible or private actions on the user's Twitter/X account, such as posting, liking, following, or sending DMs.
The skill intentionally exposes broad Twitter/X write capabilities, including public posts and private messages, without an explicit confirmation or containment policy in the main instructions.
post tweets, like, retweet, follow, send DMs, and more. Covers all 67 active endpoints. Use when the user wants to read or write Twitter data.
Only use this skill with explicit per-action approval for writes, and review every tweet, DM, follow, profile update, delete, or community action before sending.
Compromise or misuse of these credentials or returned session cookies could allow access to the user's Twitter/X account actions beyond a single task.
The login flow sends Twitter account credentials, a 2FA secret, and proxy credentials to the third-party TwitterAPI.io service, giving the integration substantial delegated account authority.
"user_name": "USERNAME", "email": "EMAIL", "password": "PASSWORD", "proxy": "http://user:pass@host:port", "totp_secret": "2FA_SECRET_16CHAR"
Use a dedicated low-risk account if possible, avoid sharing primary account passwords or 2FA seeds, rotate/revoke credentials after use, and confirm the provider's trustworthiness before proceeding.
A Twitter/X session cookie could be accidentally recorded in logs or command history and reused by someone else.
The documentation explicitly notes that sensitive session cookies may be placed in URLs for the DM-history endpoint, increasing the chance of exposure through logs or history.
login_cookies is sent as a GET query parameter, meaning it appears in URL logs, browser history, and server access logs.
Avoid the DM-history endpoint unless necessary, never paste real cookies into shared chats or logs, and sanitize command history and request logs after use.
Monitoring rules may continue to run until removed and may consume credits or collect ongoing Twitter/X activity.
The skill documents provider-side filter rules and user monitoring, which can create ongoing monitoring state outside the immediate chat session.
Add Filter Rule ... update_rule with is_effect: 1 to activate ... Add User to Monitor
Track any rules or monitored users created by the agent, and delete or deactivate them when the task is finished.
Users may underestimate the credentials and account access needed before installing or invoking the skill.
The registry metadata says no credentials are required, while the skill documentation requires a TwitterAPI.io API key and write-action login/session credentials.
Required env vars: none; Env var declarations: none; Primary credential: none
Treat the skill as credentialed account automation despite the metadata gap, and configure credentials only after reviewing the documentation.