Lebevolae X Post
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong text or image, the agent could publish unwanted content to the connected X/Twitter account.
The skill's core action is publishing user-supplied text or one local image to X/Twitter. That is purpose-aligned, but public posting is a high-impact action and the artifact does not add a separate confirmation step.
发推文到 X,支持纯文本或带一张本地图片。 ... leo,发推:今天天气不错! #测试
Review the exact post text and selected image before allowing the skill to post, and consider requiring confirmation for every publish action.
Anyone or any agent process with access to these credentials may be able to post through the connected X/Twitter app/account.
The skill needs write-capable X/Twitter developer credentials. This matches the posting purpose, but those credential requirements are not reflected in the registry metadata's env var or primary credential declarations.
需要 X Developer 账号的 4 个凭证 ... OAuth 1.0a read+write ... TWITTER_API_KEY ... TWITTER_API_SECRET ... TWITTER_ACCESS_TOKEN ... TWITTER_ACCESS_SECRET
Use a dedicated X Developer app/account if possible, store the secrets securely, limit token permissions to what is needed, and revoke or rotate the tokens if the skill is no longer used.