Baoyu Post To X
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill can post from your X account using a saved browser login and explicitly bypasses X anti-bot protections, so it needs careful review before use.
Install only if you intentionally want browser-based X automation that may bypass platform anti-bot controls. Use a dedicated Chrome profile/account, inspect or disable EXTEND.md settings, keep preview mode on by default, and require explicit confirmation before any --submit action.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could control a logged-in X browser to publish public content, and the anti-detection design may violate platform expectations or account rules.
The stated capability combines account-controlled public posting with deliberate anti-bot/anti-automation evasion, which is higher-risk than a normal compose assistant.
Posts text, images, videos, and long-form articles to X via real Chrome browser (bypasses anti-bot detection).
Use only with explicit per-post confirmation, keep preview-only behavior unless the user clearly approves publishing, and prefer official/scoped APIs or a dedicated account/profile.
A saved X session may be reused by later invocations to act on the account without re-login.
The skill depends on a persistent logged-in X session to act as the user, but the provided metadata declares no primary credential and does not clearly bound the profile/session lifecycle.
First run: manual login required (session saved)
Use a dedicated Chrome profile and account, document the saved-session requirement in metadata, and require explicit approval before any post is submitted.
A local project file could cause the skill to use an unexpected browser profile or submit posts automatically if the agent applies those settings.
A project-level or home-level EXTEND.md can change profile and auto-submit behavior; for a public-posting skill, untrusted or stale local preferences could alter high-impact actions.
Found │ Read, parse, apply settings ... EXTEND.md Supports: Default Chrome profile | Auto-submit preference
Treat EXTEND.md as untrusted configuration, require direct user confirmation for auto-submit/profile changes, and define a strict, limited schema.
A future or compromised package resolution could affect how the skill runs.
Using npx -y can fetch and run an unpinned runtime/package at execution time; this is purpose-aligned with running Bun scripts but creates supply-chain variability.
spawnSync('npx', ['-y', 'bun', scriptPath, ...args], { stdio: 'inherit' });Pin the Bun runtime version or require a preinstalled trusted Bun binary instead of invoking npx -y during skill execution.
Clipboard content could be pasted into the wrong app or window, and the required OS accessibility permissions are broad.
The skill sends OS-level paste keystrokes through automation tools; this supports image/article posting but can affect the active application if focus is wrong.
tell application "System Events" ... keystroke "v" using command down
Grant accessibility permissions carefully, keep the intended Chrome window visible and focused, and review the composed post before submitting.