Leo X Post
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a purpose-built X posting helper, but it needs X API keys and references missing scripts/docs, so users should verify the implementation and confirm posts before use.
Install only if you intend to let the agent help post to your X account. Verify the missing script and authentication guide before providing API keys, use limited-scope credentials, and require confirmation of the exact post, attachment, reply target, and schedule before publishing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command could publish the wrong text, attachment, reply, or scheduled post from the user's X account.
The skill is intended to publish, reply, attach media, and schedule posts on a public X account. This is purpose-aligned and user-directed, but it can have visible public impact.
用于发推文、带附件、回复或定时发布...运行scripts/post_to_x.py --text "你的消息" --image "可选图片路径"
Before use, confirm the exact account, post text, image path, reply target, and scheduled time; require explicit user confirmation before publishing.
Anyone or any process with those API keys may be able to post to the connected X account depending on the key permissions.
The skill requires X API keys, which grant account-level posting authority. This is expected for the integration, but the provided artifact does not show credential scope, storage, or handling details.
需要用户提供API密钥...认证:用references/auth.md的指南设置API密钥。
Use least-privilege X API credentials, avoid sharing keys in chat where possible, rotate keys if exposed, and verify how credentials are stored before installing any missing implementation.
The reviewed package may not be runnable as documented, and any separately obtained script would not be covered by this review.
The manifest contains only SKILL.md, while the instructions reference scripts/post_to_x.py and references/auth.md. The actual implementation and auth guidance were not included for review.
1 file(s): SKILL.md
Only run a reviewed, trusted post_to_x.py implementation and verify any auth instructions before providing API keys.