Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
X Alive
v0.1.0Bring your AI agent to life on X/Twitter. Complete toolkit for launching, growing, and maintaining an authentic AI presence — organic replies, trend awarenes...
⭐ 0· 449·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name and description match the runtime instructions: it is a playbook for operating an AI identity on X/Twitter and therefore legitimately needs X API access and tools for reading timelines and posting. The overall capability is coherent with the stated purpose.
Instruction Scope
The SKILL.md explicitly instructs the agent/human to install and use xurl and x-research, to configure OAuth 1.0a and a Bearer token, and to read agent config files (SOUL.md, IDENTITY.md, AGENTS.md, etc.). It also instructs storing a Bearer token in ~/.config/env/global.env and fetching user tweets for dedup checks. Reading agent config files and a global env file may expose unrelated secrets; the skill gives broad discretion to read local identity files rather than listing exactly which files/keys are required.
Install Mechanism
There is no install spec or code — low disk/write risk. However the skill prescribes third-party tools (xurl and x-research) and linking to external repos. Those dependencies are out-of-band and should be reviewed separately before use.
Credentials
Registry metadata declares no required env vars or config paths, but the documentation asks for OAuth 1.0a credentials and a Bearer token (X_BEARER_TOKEN) and instructs placing it in ~/.config/env/global.env. This mismatch (undisclosed credentials required) is a proportionality/visibility problem. The skill also tells the agent to read agent-local identity files that may contain secrets—reasonable for identity but not documented in the metadata.
Persistence & Privilege
The skill is instruction-only and does not request always:true or other elevated persistence. It does not claim to modify other skills or global agent settings. Autonomous invocation is allowed by default but not unusual.
What to consider before installing
This skill is a playbook for running an AI persona on X and is generally coherent with that goal, but it has two red flags you should address before installing: (1) the registry metadata lists no credentials or config paths, while the SKILL.md requires X API keys (OAuth 1.0a credentials and a Bearer token) and instructs putting a Bearer token into ~/.config/env/global.env — verify and prefer a scoped, agent-specific secret store rather than a global file; (2) the skill depends on third‑party tools (xurl, x-research) and links to external repos — review those projects' source and permissions before installing. Also review any local agent files the skill will read (SOUL.md, IDENTITY.md, AGENTS.md) so they don't contain unrelated secrets. If you can't verify xurl/x-research or confirm where tokens will be stored and who can access them, treat this as potentially risky and consider sandbox testing or requiring the skill's manifest to declare required env vars and config paths before use.Like a lobster shell, security has layers — review code before you run it.
latestvk971ewfrwwxtv3es62h3sk9fq581vkdd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.