X(Twitter) Post Automation
Security checks across malware telemetry and agentic risk
Overview
This skill is coherent for X automation, but it uses a logged-in Chrome/X session to publish public posts without an explicit final user approval step.
Only use this skill if you are comfortable with an agent reading X trends through your browser and posting publicly from your X account. Add a mandatory review-and-approve step before publication, consider using a dedicated browser profile or test account, and periodically check or clear the memory logs.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish a public tweet from the user's account that the user has not reviewed, which may affect reputation, compliance, or account safety.
The skill instructs the agent to use browser automation to publish a public post, but there is no explicit final user confirmation or approval step before clicking Post.
Navigate to `https://x.com/compose/post`. - Type the selected text and click "Post".
Require an explicit user approval step after drafting and before clicking Post, and limit use to requests where the user clearly asked to publish.
The skill can act as the logged-in X user and post publicly through that account.
Using the Chrome profile for X likely gives the agent access to the user's existing logged-in X session; combined with the publication step, this is account-level delegated authority.
Use `browser(profile="chrome")` to visit `https://x.com/home`.
Use a dedicated browser profile or test account, document the required X session access, and require user approval before any account mutation.
Draft posts and related context may remain available after the run and could influence later tasks if reused.
The skill stores generated tweet candidates in a persistent memory path; this is understandable for logging but may preserve drafts or context for later reuse.
Write candidates to `memory/x-daily-candidates.log`.
Review or clear the memory logs periodically, and avoid including sensitive or private information in generated drafts.
Users have less external context for who maintains the skill or how it should behave beyond the provided instructions.
The skill is instruction-only with no code to inspect, but its provenance is limited because no source or homepage is provided.
Source: unknown; Homepage: none
Review the SKILL.md workflow carefully before use, especially because it can post publicly from an authenticated account.