Xquik
AdvisoryAudited by Static analysis on May 5, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent could post publicly, send DMs, change social account state, start jobs, or spend credits.
The skill exposes broad X/Twitter mutation, paid, and recurring actions, but it also clearly requires explicit user confirmation before using them.
Before any visible, state-changing, paid, or recurring action, summarize the exact target, account, action, text/media when relevant, and estimated credits, then wait for explicit user confirmation. This includes posting, replying, deleting, liking, retweeting, following, unfollowing, sending DMs, editing profiles, uploading media, creating webhooks, creating monitors, running draws, and starting extraction jobs.
Only approve actions after checking the exact account, target, content, scope, and estimated cost.
Leaked or overused credentials could allow unauthorized account-backed actions or paid usage.
The skill may use sensitive account and payment/signing credentials, but the metadata discloses them and gives protective handling guidance.
XQUIK_API_KEY (optional) - Optional Xquik API key for account-backed TweetClaw workflows. Prefer storing it in OpenClaw plugin config rather than exposing it to the agent session.; MPP_SIGNING_KEY (optional) - Optional Machine Payments Protocol signing key for read-only pay-per-use mode. Store as sensitive OpenClaw plugin config and never print it.
Store credentials only in sensitive plugin configuration, avoid pasting them into chat, and rotate them if exposed.
The safety of the installed @xquik/tweetclaw package depends on that package’s actual code and provenance, not just this guide.
The guide instructs installation of an external plugin package, while the provided artifact set contains no plugin code for review.
openclaw plugins install @xquik/tweetclaw
Install only from the expected publisher/source, review the package or pin a trusted version where possible, and keep it updated.
A monitor or webhook could continue collecting or notifying about X/Twitter activity after setup.
The skill supports recurring monitoring and storage/notification behavior, but it frames them as user-confirmed and scope-limited.
For bulk extraction, draw, or monitor requests, keep limits narrow by default. State the requested limit, estimated cost, and storage or notification behavior. Ask for confirmation again if the user expands the scope, changes the target, or asks for recurring monitoring.
Set narrow limits, confirm stop conditions, and periodically review or disable active monitors and webhooks.