X
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: twitter-api-v2 Version: 1.0.0 The skill bundle provides a well-structured and safe implementation for interacting with the X (Twitter) API v2 using only the Python standard library. The main script (scripts/x.py) implements standard authentication flows, including Bearer tokens and OAuth 2.0 with PKCE, and correctly handles local credential storage in ~/.openclaw/x. There is no evidence of data exfiltration, malicious execution, or prompt injection attempts in SKILL.md or the supporting documentation (SETUP.md, references/pricing.md). The use of a temporary local HTTP server for OAuth callbacks is a standard and appropriate practice for CLI-based authentication.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If OAuth is enabled, the skill can keep using the authorized X account and can post publicly through that account until access is revoked.
The skill asks for OAuth scopes that can read user-context data, post tweets, and keep refresh access via a locally stored token file.
Save tokens to `~/.openclaw/x/tokens.json` ... **Scopes granted:** `tweet.read`, `users.read`, `bookmark.read`, `tweet.write`, `offline.access`
Only enable OAuth if you need bookmarks, likes, or posting; protect the ~/.openclaw/x files, revoke tokens when no longer needed, and consider using a dedicated X app/account.
A mistaken or over-broad agent instruction could publish content from the connected X account.
Posting to X is a high-impact external action, but it is clearly part of the stated feature set.
**User context (OAuth 2.0):** - Bookmarks - Liked tweets - Post tweets
Treat posting as a confirmation-required action: review the exact tweet text and account before allowing the command to run.
Large searches, timelines, or bookmark exports could consume paid API credits.
The skill can make API calls that may consume paid X API credits, but the cost model and spending-limit advice are disclosed.
**Pay-per-usage model:** - Buy credits in Developer Console - Charged per unique tweet/user returned - Set spending limits to control costs
Set X API spending limits and keep command `--max` values modest unless you intend to spend credits.
You have less external provenance to verify who maintains the skill or where updates come from.
The registry entry does not provide an external source or homepage for provenance verification, although the included artifacts show no remote installer or dependency chain.
Source: unknown Homepage: none
Review the included script before use and prefer installing from a trusted publisher or repository when available.