X tweet publisher
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward X posting tool, but it needs account write tokens and can publish public tweets or media, so only use it with content you approve.
Install only if you are comfortable granting this skill X account posting credentials. Use scoped or dedicated tokens, approve the exact tweet text and media before each run, and consider pinning Tweepy to a reviewed version.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unintended invocation could publish content publicly from the user's X account.
The script directly creates tweets through the X API. This is the advertised purpose, but it is a public, account-mutating action if invoked with the wrong text or media.
response = client.create_tweet(text=text)
Review and approve the exact tweet text and media before running; consider adding a dry-run or confirmation step for agent-driven use.
Anyone or any process with access to these tokens may be able to post through the configured X account, depending on token permissions.
The skill requires X API credentials and access tokens. These are expected for posting tweets, but they grant authority to act on the connected X account.
X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET, X_BEARER_TOKEN
Use least-privilege tokens, preferably from a dedicated X developer app/account, keep them out of logs, and rotate them if exposed.
A future or unexpected dependency version could behave differently from the version the skill author tested.
Setup relies on installing an external Python package without a pinned version. This is normal for this integration, but it leaves dependency version/provenance to the user's environment.
pip3 install tweepy --user
Install Tweepy from the official PyPI package, consider pinning a known-good version, and review dependency updates.