Grok X Growth Agent
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is designed to use your X and xAI credentials to automatically post affiliate replies, while making strong safety claims that are not substantiated by included code.
Only install this if you are comfortable giving an agent credentials and authority to post from your X account. Use dry-run mode first, verify the ThumbGate package before running npx, restrict OAuth scopes, require manual approval for posts, and avoid storing unrelated sensitive data in the agent's memory.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish promotional replies from the user's account, affecting reputation, account standing, or compliance with platform rules.
The skill is explicitly intended to perform public posting actions with monetized links on the user's X account; the artifacts do not clearly require manual approval before posting.
autonomously identify trending niche discussions and reply with hyper-relevant affiliate links
Require a dry-run/manual approval mode by default, clearly define posting scopes and limits, and log every proposed and executed post.
Users may grant account/API authority without a clear view of what permissions are needed or how broadly the agent can act.
The setup requires credentials for X and xAI, but the registry metadata declares no required environment variables or primary credential, and the exact OAuth scopes are not bounded.
Add your X.com `CLIENT_ID` and `CLIENT_SECRET` to the OpenClaw environment. Add your `XAI_API_KEY` to enable the Grok brain.
Declare all required credentials in metadata, request the minimum OAuth scopes needed, and document exactly what account actions the credentials enable.
Users may over-trust the safety claims and allow automated public posting that could still trigger spam, reputational, or account-enforcement problems.
This is a strong safety guarantee for account-ban prevention, but no ThumbGate implementation or enforcement code is included in the artifacts.
Zero banned accounts thanks to ThumbGate safety constraints.
Avoid absolute safety claims; provide verifiable enforcement details and advise users to test in simulation before enabling live posting.
Installing the safety component requires trusting a separate package and its install-time behavior.
The setup depends on an external, unpinned npx package that is not included in the reviewed artifacts.
Install ThumbGate: `npx thumbgate init --agent openclaw`
Pin the package version, provide provenance, and review the ThumbGate package before running the npx command.
Incorrect or tampered memory entries could cause the agent to post the wrong links or unwanted promotional content.
The agent stores affiliate-link context in persistent memory for reuse in generated public replies.
Add your Make.com or ElevenLabs affiliate links to the agent's memory.
Keep memory entries scoped to this skill, review them regularly, and avoid storing unrelated sensitive information.
The agent may continue acting on the user's social account after initial setup, creating ongoing exposure if configuration or generated content is wrong.
The skill describes continuous autonomous operation tied to public posting, but does not define a clear stop condition, operating window, or containment mechanism beyond posting-rate rules.
Monitors X.com for trending keywords in your specific B2B or SaaS niche 24/7.
Require explicit enable/disable controls, bounded schedules, review queues, and emergency stop instructions before live autonomous operation.