x-agent
v0.1.0Plan, monitor, draft, and safely automate X (Twitter) account workflows with configurable guardrails and phased operational modes.
⭐ 0· 680·2 current·2 all-time
byInceptiv Inc.@inceptivco
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill is explicitly about planning, drafting, monitoring, and (optionally) automating X account workflows. All instructions in SKILL.md are about those activities. However, the SKILL.md tells users to 'configure API credentials in local environment (never in chat)' yet the registry metadata declares no required environment variables or primary credential—this is an inconsistency between the documented runtime expectations and the declared metadata.
Instruction Scope
The runtime instructions stay on-topic: monitoring, drafting, risk-flagging, and gated automation with explicit approval and kill-switch requirements. There are no directives to read unrelated system files, harvest unrelated environment variables, or send data to external endpoints beyond the implied X API. It explicitly warns not to place credentials in chat and to keep automation off until explicitly enabled.
Install Mechanism
No install spec and no code files—this is an instruction-only skill. That minimizes disk-write/remote-download risk. There is nothing attempting to install third-party packages or fetch code from external URLs.
Credentials
The skill reasonably needs X API credentials to perform posting/monitoring, and the SKILL.md instructs configuring them locally. But the registry metadata does not list any required env vars or a primary credential. This is likely an oversight but should be corrected so users know what secrets are needed and where they must be stored.
Persistence & Privilege
The skill does not request always:true, does not claim persistent system-level presence, and is user-invocable only. It does not ask to modify other skills' configs or system-wide settings in the provided materials.
Assessment
This skill looks coherent and focused on X/Twitter workflows, with sensible safety guidance (monitor-only start, explicit approvals, kill-switch). Things to check before installing or using it: 1) Confirm where and how you will supply X API credentials—the SKILL.md says to configure them locally but the skill metadata doesn't declare required env vars, so plan to store them in your environment (not in chat). 2) Start in monitor-only mode and test the approval flow before enabling any automation. 3) Verify playbooks and hard caps (max posts/day, quiet hours, kill switch) match your risk appetite. 4) Because the skill source/homepage is unknown, prefer using it only with accounts where you control the credentials and avoid granting broad posting rights until you trust the workflow. If you want a tighter assessment, provide any additional metadata or an updated manifest that declares the exact env vars the skill expects (e.g., X_API_KEY, X_API_SECRET, etc.).Like a lobster shell, security has layers — review code before you run it.
latestvk972d4b50xw7c58k7w2mqckbgx815dhv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.