XRepl AI - Tweet Generator
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated X/Twitter tweet-generation purpose, but it uses a token-backed external MCP package that can draft, schedule, and publish public posts.
This looks coherent for an XReply tweet-generation integration. Before installing, make sure you trust XReplyAI and the npm MCP package, keep XREPLY_TOKEN protected, preview generated posts, and require explicit approval before publishing, scheduling, deleting, or enabling auto-retweets.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could publish or schedule public posts that affect the user's reputation or account.
The skill exposes a tool that can create public X/Twitter posts or scheduled posts. This is disclosed and central to the purpose, but it is a high-impact action that should be user-approved.
xreply_posts_publish ... Publish or schedule a post to X/Twitter ... omit to publish immediately
Use draft generation first, review the exact post body and schedule, and require explicit user confirmation before publishing, deleting, scheduling, or enabling auto-retweets.
Anyone or anything with access to the token may be able to call XReply tools for the user's account.
The skill uses a service JWT and a connected X account to perform account-backed actions. This is expected for the integration, but it is delegated account authority.
All tools require an `XREPLY_TOKEN` environment variable — a JWT token from XreplyAI Settings ... Requires X account to be connected.
Store the token only in the intended secret/config mechanism, rotate it if exposed, and use the least-privileged account setup available.
The security of the skill depends on the npm package and publisher remaining trustworthy.
Runtime behavior is delegated to an external npm package invoked through npx, and the provided artifacts do not include that package's implementation.
The XReply MCP server is published as `@xreplyai/mcp` on npm. You invoke tools via `mcporter`: `mcporter call 'npx @xreplyai/mcp'`
Install only if you trust XReplyAI and the npm package; prefer pinned versions or reviewed package provenance where possible.
Drafts and writing-style information may reveal personal preferences, branding, or private topics.
The skill uses and stores user-specific writing context and saved drafts. This is expected for an AI tweet generator, but it is persistent personalized context.
Generate a single AI post in the user's voice and auto-save it as a draft ... voice profile status ... writing style summary
Avoid putting sensitive material into prompts or drafts, and review XReplyAI's retention/privacy settings for voice profiles and saved posts.
Scheduled posts or auto-retweets may happen later if the user forgets they were configured.
The skill can configure future posting and auto-retweet behavior. This is disclosed and purpose-aligned, but it means actions can occur later after the initial command.
`scheduled_at` ... to schedule ... `auto_rt_hours` ... hours after publishing to auto-retweet
Review the queue regularly and confirm timing and auto-retweet settings before enabling future actions.