xqueue
ReviewAudited by ClawScan on May 10, 2026.
Overview
XQueue is a coherent X/Twitter scheduler, but review is warranted because it can automatically publish/delete content and visible code can read macOS Keychain credentials with a hard-coded default account and may post long drafts as threads despite documentation saying they are rejected.
Before installing, inspect the full xqueue-post.py, run in dry-run mode, set X credentials explicitly with environment variables, avoid relying on the Keychain fallback unless you configure it intentionally, and confirm whether long drafts should be rejected or auto-threaded. Do not enable cron until the queue contents, deletion setting, and posting behavior match what you want.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A long draft the user expected to fail may instead be published as a multi-tweet thread.
The visible SKILL.md text says tweets over 280 characters are rejected and not posted, but this code path automatically splits long content into tweet-sized chunks. In an automatic public-posting scheduler, that mismatch can cause more public posts than the user expected.
Auto-threads tweets that exceed 280 chars.
Make the behavior match the documentation, or require an explicit config option/confirmation for auto-threading overlong drafts.
The skill may try to use local Keychain-stored X credentials that the user did not explicitly provide through environment variables.
If X credential environment variables are missing, the script attempts to read macOS Keychain generic-password entries for X API credential services, defaulting to a hard-coded account name rather than an explicitly configured user account.
account = os.environ.get("XQUEUE_KEYCHAIN_ACCOUNT", "meimakes") ... ["security", "find-generic-password", "-a", account, "-s", service, "-w"]Require explicit opt-in for Keychain use, remove the hard-coded default account, and document exactly which Keychain services/accounts will be read.
Files placed in the queue can be publicly posted and then removed without per-post confirmation.
Automatic posting to a public X account and deletion of queued files are high-impact actions, but they are central to the skill’s purpose and are disclosed.
A cron job checks every 15 minutes — if it's the right day and time and there's content, it posts and cleans up. ... After posting, files are deleted (by default)
Use dry-run mode first, keep backups of queued content, and verify cron timing and deleteAfterPost settings before enabling real posting.
Scheduled content may continue posting in future weeks if the cron job remains active and files are left in the queue.
The scheduler is intended to run persistently via cron. This is disclosed and purpose-aligned, but users should understand it will continue operating until the cron job is disabled.
Designed to run on a 15-minute cron cycle. Each tick: ... Posts slot content
Document how to disable/remove the cron job and periodically review the queue and backlog folders.