SoloBuddy
WarnAudited by ClawScan on May 10, 2026.
Overview
SoloBuddy’s core content workflow is coherent, but its optional Twitter monitor relies on copied X/Twitter tokens and persistent background scripts that are not provided for review.
The local writing and backlog features look aligned with the skill’s purpose. Before enabling Twitter monitoring, inspect the referenced scripts and LaunchAgent, avoid copying browser/session tokens if possible, and confirm how to stop the monitor. Also review git changes before using the publish command.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If mishandled, copied Twitter session tokens could expose or grant access to the user’s X/Twitter account beyond simple content drafting.
The monitor asks the user to place X/Twitter credential-like values in shell configuration; these tokens can give scripts access as the user, while the skill metadata declares no credential contract.
Credentials in `~/.zshrc`: ```bash export AUTH_TOKEN="..." export CT0="..." ```
Do not enable the monitor unless you understand the credential handling; prefer scoped OAuth/API credentials, keep tokens out of shared scripts/logs, and use a least-privilege account where possible.
Enabling the monitor could require running local helper code whose behavior, network use, logging, and credential handling are not visible in this review.
The operational helper scripts and LaunchAgent are referenced as part of the feature, but the supplied artifact set contains no script or plist contents to review.
~/.clawdbot/scripts/ ├── twitter-monitor.sh # Fetches tweets via bird CLI └── twitter-analyze.sh # Sends to ClawdBot for analysis ~/Library/LaunchAgents/ └── com.clawdbot.twitter-monitor.plist
Inspect or obtain the exact scripts and plist before loading them, pin their source/version, and avoid running unreviewed helpers with account tokens.
Once enabled, it may continue fetching Twitter data, invoking ClawdBot, and sending notifications until the user explicitly stops it.
The optional Twitter monitor is designed to persist on an interval and invoke the agent automatically, rather than only responding to a single user request.
LaunchAgent (configurable interval)
↓
twitter-monitor.sh
...
→ sends to clawdbot agent --deliverEnable only if you want persistent monitoring, verify the interval and scripts, and keep the documented unload command available to disable it.
Private backlog notes, session logs, or other local files inside dataPath could be committed and pushed unintentionally.
The publishing command is purpose-aligned, but it stages and pushes every changed file under the configured dataPath, not only a selected draft.
cd {dataPath} && git add . && git commit -m "content: add draft" && git pushReview `git status` and `git diff` before publishing, use specific file paths instead of `git add .`, and keep private files outside the publish repository.
Sensitive or stale notes in the configured folder can influence later drafts or be surfaced in generated content.
The assistant is intended to read and reuse persistent local content as memory for future content generation.
Data You Know About
- Ideas backlog: `{dataPath}/ideas/backlog.md`
- Session log: `{dataPath}/ideas/session-log.md`
- Drafts: `{dataPath}/drafts/`
- Published posts: `{dataPath}/data/my-posts.json`Use a dedicated dataPath, avoid storing secrets or private notes there, and periodically review backlog/session files and generated drafts.