X OAuth API

What to check before installing: - Verify you are comfortable providing a dedicated X (Twitter) app's OAuth credentials; these tokens grant full ability to post/delete as that account. Use a dedicated app and tokens, not high-privilege or shared keys. - The package contains Node code and a package.json (node >=16) but the skill metadata does not declare Node as a required binary or provide an install step. Make sure your environment has Node and install dependencies (npm install) before expecting the CLI to work. - The included scripts will create logs and state files under $HOME/.openclaw/x-poster and $HOME/.openclaw/heartbeat (or the path you set with OPENCLAW_STATE_DIR). If you do not want files written there, inspect and modify scripts first or run in an isolated container/VM. - Automation capability: generic-post.sh is a template for automated posting. Do not schedule or enable it unless you review and customize get_content() to avoid accidental or unwanted posts. - Review the code (bin/x.js, the shell scripts) yourself; the code appears to only contact api.twitter.com and read env vars, but you should verify there are no hidden endpoints or unexpected network calls in the runtime you will use. - As a precaution, test with a throwaway or low-privilege account/app, and rotate credentials after testing if you suspect exposure. If you want me to, I can: (a) extract and show the exact lines that create files/dirs, (b) produce a minimal checklist to safely run this skill inside a container, or (c) search the code for any network calls beyond api.twitter.com.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.