twitter-dance
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Twitter/X automation skill, but it under-declares and exposes high-impact account credentials while enabling automated public posting and account actions.
Install only if you are comfortable giving this skill and apidance.pro access to a Twitter/X auth token and allowing it to mutate a public account. Rotate any keys that match the examples, use draft-only mode first, avoid cron/bulk actions until reviewed, and protect or periodically delete the logs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these values are real or copied into shared logs/docs, a Twitter/X account or paid API accounts could be abused; users may also miss that the skill needs powerful account credentials.
The guide contains live-looking API keys/session tokens and instructs users to configure a raw Twitter/X auth token, while the registry metadata says there are no required env vars or primary credentials.
export APIDANCE_API_KEY="y6rbeg46..."; export TWITTER_AUTH_TOKEN="AAAAAAAA..."; export KIMI_API_KEY="sk-JM5..."
Remove all real-looking secrets from documentation, rotate any exposed keys, use placeholders only, declare required credentials in metadata, and prefer scoped OAuth or least-privilege tokens where possible.
A mistaken or autonomous invocation could post unwanted content, delete tweets, or change account relationships on a public Twitter/X account.
The skill exposes simple commands for bulk public posting, tweet deletion, and follow-management actions, which are high-impact account mutations.
node scripts/auto-tweet.js --count=5 ... node scripts/interact.js --delete=TWEET_ID ... node scripts/follow.js --follow=USER_ID
Require explicit user confirmation for posting, deleting, following/unfollowing, bulk operations, and replies; default to draft-only mode until the user approves.
Once scheduled, the skill can keep replying or posting without the user actively invoking each action.
The documentation shows persistent scheduled automation that periodically checks notifications and posts replies.
schedule.scheduleJob('0 * * * *', async () => { ... await client.autoReply(n.tweetId, '感谢支持!'); });Use scheduled jobs only after testing in draft/manual mode, monitor logs, and provide an easy way to disable cron/OpenClaw jobs.
Local log files may retain sensitive social-account history and should not be shared casually.
The skill documents persistent local logs containing generated tweets, posting results, account information, tweet history, and follower data.
logs/ ... tweets-*.jsonl ... results-*.jsonl ... my-info-*.json ... my-tweets-*.jsonl ... followers-*.jsonl
Store logs in a protected location, avoid committing them, and add retention or redaction options for account, follower, and tweet data.
Users may believe the workflow is purely local even though account tokens and generated/public-posting requests are handled through external services.
This privacy claim is hard to reconcile with the skill’s documented use of external apidance.pro and Kimi APIs plus auth-token headers, which may cause users to underestimate third-party credential/data exposure.
### 数据隐私 - ✅ 本地处理,无上传
Clarify exactly what data and credentials are sent to each provider, remove the 'no upload' claim unless it is narrowly true, and document provider trust assumptions.