X Growth Operator / X 增长运营助手
ReviewAudited by ClawScan on May 18, 2026.
Overview
This is a coherent review-first X operations skill, but it can post publicly through your X account and stores local mission, memory, and execution files.
Install this only if you intend to let it help operate an X account. Keep the X API credentials limited to the intended account, review every proposed post/reply before live execution, and periodically inspect or delete the local `data/` files if they contain sensitive campaign information.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you approve live execution, the skill can publish posts, replies, or quote posts from your X account.
The skill can perform real public X account actions, which is high-impact, but the artifact explicitly frames this as approval-gated and central to the skill's purpose.
This skill can perform real authenticated X actions only in `x-api` mode and only after explicit approval.
Review the generated action text and target before approving `--mode x-api` or using the dashboard's live execution.
The configured credentials determine which X account the skill can act as.
The skill requires OAuth credentials that grant access to an X account. This is expected for posting through the X API and is disclosed.
Required environment variables for real X execution: `X_API_KEY`, `X_API_SECRET`, `X_ACCESS_TOKEN`, `X_ACCESS_TOKEN_SECRET`
Use credentials for the intended account only, store them carefully in `scripts/.env`, and avoid sharing generated bundles or logs that might include local configuration.
A future npm dependency version could behave differently from the version the publisher tested.
The skill installs npm packages without pinned versions in the provided install specification. These dependencies are purpose-aligned and common, but unpinned installs can change over time.
node | package: commander; node | package: dotenv; node | package: https-proxy-agent; node | package: socks-proxy-agent
Install in a controlled environment and consider pinning dependency versions if you use this for production account operations.
Running live actions executes local Python and Node code from the skill package.
The Python execution layer launches the Node X OAuth CLI. This local subprocess use is expected for the skill's posting workflow and is not shown doing unrelated shell execution.
completed = subprocess.run(cmd, check=False, capture_output=True, text=True)
Only run the skill from a trusted copy, and review live-action outputs before approving execution.
Your mission brief, draft actions, feedback signals, and execution history may remain in local `data/` files and influence later recommendations.
The skill intentionally stores operational memory and execution history for future review and feedback. This persistence is disclosed and aligned with the stated workflow.
Persist an audit trail and lightweight memory loop
Review or clear the local `data/` directory when switching accounts, brands, or sensitive campaigns.