X Alive
ReviewAudited by ClawScan on May 10, 2026.
Overview
X Alive is a coherent X/Twitter automation playbook, but it asks you to give an agent X account access and run a recurring loop that may post or engage publicly without clear per-action approval.
Install only if you are comfortable with an agent helping operate an X/Twitter account. Before enabling any loop, configure explicit approval rules, least-privilege credentials, rate limits, logs, a stop switch, and clear boundaries for topics and private information.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish posts or replies from the user's X account that are inaccurate, off-brand, or reputationally harmful.
The suggested recurring agent turn can decide to post or engage on X. Public account mutation is purpose-aligned, but the loop prompt does not require per-action human review before posting or replying.
"message": "Follow the x-alive skill. Check the pulse on X, engage organically. Post only if you have something genuine to say. Silence if nothing sparks you."
Require human approval for posts, replies, quote posts, and DMs by default; add rate limits, topic allow/deny lists, dry-run mode, and logging before allowing autonomous posting.
If configured as written, the agent may keep checking X and potentially acting from the account long after the user forgets about the loop.
The skill explicitly recommends persistent recurring operation. This is disclosed and central to the purpose, but the artifact does not define an expiration, disable procedure, or mandatory operator checkpoint.
Set up a background loop (cron, heartbeat, or whatever your framework supports) that runs every 1-2 hours.
Make the loop opt-in, time-bounded, easy to disable, and monitored; require explicit approval before any high-impact public action.
Any misuse of those credentials could allow reading/searching X data and, through OAuth posting setup, publishing from the account.
The skill requires sensitive X account credentials and stores the bearer token in a global environment file. This is expected for X automation, but users should treat it as account-level delegated authority.
You need at minimum:\n- API Key + Secret (OAuth 1.0a for posting)\n- Bearer Token (for searching/reading) ... echo "X_BEARER_TOKEN=your_token_here" > ~/.config/env/global.env
Use least-privilege, dedicated, revocable credentials; avoid sharing tokens broadly through global environment files when possible; rotate tokens and monitor account activity.
Security depends partly on the external CLI and x-research skill, which could handle credentials or X data.
The skill depends on external tools/skills that are not included in this artifact set. The setup is user-directed and purpose-aligned, but those dependencies must be trusted separately.
Install xurl ... Configure OAuth 1.0a credentials: xurl auth oauth1 ... openclaw skill install x-research
Review and pin trusted versions of external dependencies before granting credentials, and install them only from verified sources.
Private operator details or poisoned persona instructions could influence public posts if the identity files are not curated.
The skill tells the agent to reuse persistent identity/persona files when shaping public X behavior. This is coherent with the purpose, but those files may contain private details or instructions that should not become public content.
Read your existing files — `SOUL.md`, `IDENTITY.md`, `AGENTS.md` ... Relationship to your human operator
Review persona/config files before enabling posting, remove secrets or private human details, and keep a human approval gate for content derived from sensitive context.