twit-mcp
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it says, but it gives an AI agent a funded crypto wallet and persistent X/Twitter account access that can spend money and post, delete, follow, or retweet without clear built-in approval limits.
Install only if you are comfortable letting an agent spend from a dedicated low-balance wallet and act on a connected X/Twitter account. Review every proposed post, delete, follow, retweet, or like; monitor USDC charges; pin the npm version; and disconnect or remove ~/.twit-mcp-credentials.json when finished.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent invokes these tools incorrectly or too often, it could publish or delete public content, change follows/likes/retweets, and incur repeated USDC charges.
The tool surface combines public/account-changing Twitter actions with automatic paid API calls, but the artifacts do not show explicit per-write confirmation or spending controls.
`post_tweet` | Post a new tweet as the authenticated user ... `delete_tweet` ... `retweet` ... `follow_user` ... Each tool call costs $0.0025–$0.01 USDC, paid automatically from the configured wallet
Require explicit user confirmation for every write action and paid call, use spend limits where possible, and disable autonomous invocation if you do not want the agent acting on your account.
The configured wallet can be charged whenever the agent uses the tools, and exposing a raw private key to any local package increases the consequence of compromise or misuse.
The skill consumes a raw wallet private key and uses it to authorize automatic x402 payments for tool calls.
const privateKey = process.env.WALLET_PRIVATE_KEY ... const account = privateKeyToAccount(privateKey); ... const fetchWithPayment = wrapFetchWithPayment(fetch, client);
Use only a dedicated low-balance wallet, never your main wallet, monitor charges, and avoid setting WALLET_PRIVATE_KEY in shared or broadly readable environments.
Anyone or any process that can read that file may gain the ability to use the connected X/Twitter session for account actions.
The skill stores Twitter/X session tokens in a persistent JSON file in the user's home directory.
authToken: string; ct0: string; ... writeFileSync(CREDENTIALS_FILE, JSON.stringify(creds, null, 2), 'utf8');
Connect only accounts you are comfortable delegating to the agent, restrict file permissions, use disconnect_twitter when finished, and delete or inspect ~/.twit-mcp-credentials.json if needed.
A user may install a package or dependency set that is not exactly the same as the reviewed artifacts.
The package.json version differs from the registry metadata version 1.4.1, and npm dependency ranges may resolve to versions beyond the exact reviewed code.
"version": "1.4.0" ... "dependencies": { "@modelcontextprotocol/sdk": "^1.12.1", ... "playwright": "^1.58.2" }Pin the exact npm package version, verify the package provenance, and prefer a lockfile or reproducible install for high-privilege use.
The skill may inspect and interact with a logged-in browser page when connecting Twitter/X.
This Playwright page evaluation is expected for the disclosed browser-based Twitter login flow, but it confirms the skill automates a browser session.
const handle = await page.$eval('a[data-testid="AppTabBar_Profile_Link"]', (el) => el.getAttribute('href'));Only run the connection flow intentionally in a trusted browser session, and disconnect or clear credentials when you no longer need write actions.