X Engagement
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent X/Twitter engagement assistant, but users should notice that it controls a logged-in browser, can perform public account actions after confirmation, and stores local engagement memory.
Before installing or using this skill, make sure you are comfortable letting it operate a logged-in X/Twitter browser session. Keep the documented confirmation flow enabled, verify the Browser Relay CLI before running `npx`, and periodically inspect or clean the local memory files that store your activity and personal facts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the agent may like, follow, or comment from the user's X account, which can affect the user's public profile and reputation.
The skill can drive browser actions that mutate an X/Twitter account, but the documented flow requires preview and user confirmation before these write actions.
点赞、关注、评论都先生成建议,再由用户确认是否执行
Only approve actions after reviewing the exact target tweet/account and final text; do not enable any workflow that bypasses the confirmation steps.
Actions are performed as the currently logged-in X user, so using the wrong browser profile or account could cause unintended public activity.
The skill relies on the user's already-authenticated browser session rather than a separate API token, giving it delegated access to the logged-in X account through browser automation.
Chrome/Chromium 已登录目标 X 账号
Use a dedicated browser profile or tab for the intended X account and confirm the logged-in identity before allowing any write action.
Running an unverified or changed external package could expose the browser automation channel to code outside this reviewed skill.
The documented setup runs an external CLI through `npx` without a pinned version in the skill artifacts. This is central to the browser-control purpose, but it is still external code execution.
npx browser-relay-cli version npx browser-relay-cli extension-path npx browser-relay-cli relay-start
Verify the Browser Relay project and npm package, consider pinning a known version, and review the external tool before running it with a logged-in browser.
Personal statements and engagement history may persist locally and influence future public comments or recommendations.
The memory design stores user facts, preferences, comment history, personas, and daily logs, with some data retained permanently and reused in future comment generation.
用户事实 | 永久 | 一直保留
Review the memory directory periodically, delete facts you do not want retained, and be cautious about letting untrusted social content become long-term playbook guidance.