Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
X Engagement
v4.1.2X/Twitter 运营自动化。完整 onboarding → Persona 学习 → 人类行为模拟 → 记忆系统 → 定时任务 → For You 关注 → Following 互动 → 自我进化系统
⭐ 1· 374·3 current·3 all-time
byJason@jasoncodespace
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (X engagement automation) match the delivered artifacts: browser DOM scripts, persona/memory system, comment-generation, and cron job docs. No unrelated credentials or binaries are requested; the skill intentionally uses browser automation (profile=openclaw) instead of API tokens, which is coherent with its stated approach.
Instruction Scope
Runtime instructions and provided scripts instruct the agent to read and write local memory files (memory/daily/hotspots/*), generate and post comments via evaluated browser JS, and check/modify cron tasks. These are within the skill's purpose but broaden its scope to system file I/O and scheduling. The skill also directs DOM actions designed to evade detection (human behavior simulation), which is deceptive by design and increases risk to user accounts.
Install Mechanism
There is no network install/download; this is instruction‑plus‑scripts (no external archive URLs). That lowers remote code-fetch risk. However, the repository includes executable shell scripts that will be placed on disk and can be run by setup scripts—so local execution risk remains and should be inspected.
Credentials
The skill requests no environment variables, no API keys, and no external service credentials. It relies on a logged-in browser session (user account) rather than asking for tokens, which is consistent with the design. There are no obvious unrelated secrets requested.
Persistence & Privilege
The skill provides scripts (scripts/setup-cron.sh, scripts/cleanup-memory.sh, scripts/check-cron.sh) and explicit instructions to add cron jobs (via openclaw cron or crontab). That means it will create persistent scheduled tasks that run autonomously and modify the user's crontab and files under ~/memory or relative memory/ paths. While not 'always:true', this persistent system-level presence and self-scheduling increases blast radius and should be consciously approved by the user.
What to consider before installing
This skill is internally consistent as a Twitter/X automation bot, but it performs actions with real risk: it will read/write local memory files, execute scripts, and create cron jobs that autonomously drive a browser to like, follow, and post comments (with behavior intended to evade detection). Before installing: 1) Review scripts setup-cron.sh and cleanup-memory.sh line-by-line and confirm any crontab edits; 2) back up your crontab and run setup scripts manually (or not at all) until you audit them; 3) run the skill in an isolated/test account or sandboxed machine (not your main account) because posting automation can lead to account suspension or policy violations; 4) confirm you have an explicit, logged-in browser profile for the target account (the skill uses browser automation, not API tokens); 5) consider disabling automatic cron setup and run tasks manually until you trust the behavior; 6) if you are not comfortable with scheduled autonomous posting or with scripts modifying crontab/files under your home directory, do not install. If you want a safer review, paste the exact contents of scripts/setup-cron.sh and scripts/cleanup-memory.sh here and I can point to any exact commands that will modify system state.Like a lobster shell, security has layers — review code before you run it.
latestvk971x7qndd0pyt6072b5xt4499826cf1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.