X
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is a straightforward X/Twitter API client, but it needs user-owned API credentials and can read private account data or post publicly if OAuth is enabled.
Install only if you are comfortable giving this skill X API credentials. For read-only use, avoid OAuth write permissions; for posting, confirm the exact text before execution. Protect ~/.openclaw/x credential files and set X billing/spending limits as the setup guide recommends.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If OAuth is enabled, the skill can read private bookmark data and post tweets using the authorized account until the token is revoked or expires.
The skill uses delegated X account credentials, including write permission and refresh-capable offline access, and stores resulting tokens locally.
Save tokens to `~/.openclaw/x/tokens.json` ... Scopes granted: `tweet.read`, `users.read`, `bookmark.read`, `tweet.write`, `offline.access`
Use the least-privileged X app permissions you need, protect files under ~/.openclaw/x, and revoke OAuth access if you stop using the skill.
A mistaken or over-permissive agent action could publish unintended content to the user’s X account.
The skill exposes a command that can create a public post on X. This is disclosed and aligned with the stated purpose, but it is a high-impact account action.
python3 {baseDir}/scripts/x.py post "Hello from OpenClaw! 🦞"Require explicit confirmation of the final tweet text before running post commands, and avoid granting tweet.write if you only need read-only features.
Private bookmarks or liked content may enter the agent conversation or be saved locally, where it could be reused or exposed if the file is shared.
The documentation shows private/bookmarked account data can be retrieved and written to a local file for later use.
python3 {baseDir}/scripts/x.py bookmarks --max 100 > bookmarks.txtOnly retrieve or export bookmarks when needed, store exported files carefully, and delete them when no longer required.
Users have less external context for who maintains the skill or where to verify updates.
The registry metadata does not identify an upstream source or homepage, which limits provenance verification for a credential-handling skill.
Source: unknown; Homepage: none
Review the included script before use and prefer installing credential-handling skills from a source you trust.