X
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If OAuth is enabled, the skill can keep using the authorized X account and can post publicly through that account until access is revoked.
The skill asks for OAuth scopes that can read user-context data, post tweets, and keep refresh access via a locally stored token file.
Save tokens to `~/.openclaw/x/tokens.json` ... **Scopes granted:** `tweet.read`, `users.read`, `bookmark.read`, `tweet.write`, `offline.access`
Only enable OAuth if you need bookmarks, likes, or posting; protect the ~/.openclaw/x files, revoke tokens when no longer needed, and consider using a dedicated X app/account.
A mistaken or over-broad agent instruction could publish content from the connected X account.
Posting to X is a high-impact external action, but it is clearly part of the stated feature set.
**User context (OAuth 2.0):** - Bookmarks - Liked tweets - Post tweets
Treat posting as a confirmation-required action: review the exact tweet text and account before allowing the command to run.
Large searches, timelines, or bookmark exports could consume paid API credits.
The skill can make API calls that may consume paid X API credits, but the cost model and spending-limit advice are disclosed.
**Pay-per-usage model:** - Buy credits in Developer Console - Charged per unique tweet/user returned - Set spending limits to control costs
Set X API spending limits and keep command `--max` values modest unless you intend to spend credits.
You have less external provenance to verify who maintains the skill or where updates come from.
The registry entry does not provide an external source or homepage for provenance verification, although the included artifacts show no remote installer or dependency chain.
Source: unknown Homepage: none
Review the included script before use and prefer installing from a trusted publisher or repository when available.