zeelin-x-creator-briefing
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated briefing purpose, but it can automatically publish generated posts to X using an undeclared external posting helper and a documented daily schedule.
Install only if you intend this skill to publish to your X account. Before running it, inspect the external tweet-posting helper, confirm which X account/session it uses, disable any cron task you do not want, and modify the launcher to generate a draft first rather than posting automatically.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the default script may post generated content publicly to X rather than only creating a draft.
The packaged one-click script turns on publish mode by default. For a generated social-media post, that is a high-impact action without a visible human review or confirmation gate.
python3 "$SCRIPT_DIR/run_briefing.py" --days 10 --publish
Make draft generation the default, require explicit confirmation before posting, and clearly document how to run the workflow without `--publish`.
The skill may use an existing logged-in X session or another skill's credentials without the user seeing a clear account/permission contract.
The skill advertises posting to X but declares no credential, token, session, or account boundary, leaving unclear which X identity will be used and what authority the skill expects.
Description: ... 自动发布到X平台 ... Required env vars: none ... Env var declarations: none ... Primary credential: none
Declare the required X credential/session source, the target account, and the exact posting permissions before enabling publication.
Installing this skill may cause public posting through unreviewed code from another skill in the workspace.
The high-impact posting step is delegated to another local skill script that is not included in this artifact set, so its implementation and credential handling cannot be reviewed here.
TWEET_SCRIPT = WORKSPACE / "skills" / "zeelin-twitter-web-autopost" / "scripts" / "tweet.sh" ... subprocess.run(["bash", str(TWEET_SCRIPT), result["tweet"], "https://x.com"], check=True)
Review and trust `zeelin-twitter-web-autopost/scripts/tweet.sh` separately, pin or declare that dependency, and avoid auto-executing it by default.
The skill could keep generating and posting daily after the initial setup, creating unexpected public posts.
The artifacts describe a persistent enabled daily task that continues the workflow, including X publication, without a fresh user request each time.
**Schedule**: 每天 8:00 (0 8 * * *) **Status**: ✅ Enabled ... 5. 自动发布到X
Verify whether the cron task exists after installation, disable it unless explicitly desired, and require manual approval for scheduled posts.