X
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: x-api-v2 Version: 1.0.0 The bundle is a functional X (Twitter) API v2 client implemented in pure Python using only the standard library. It correctly implements Bearer token authentication and the OAuth 2.0 PKCE flow for user-context actions like bookmarks and posting, including a local callback server (scripts/x.py). The code is well-structured, lacks obfuscation, and contains no evidence of data exfiltration, unauthorized file access, or malicious prompt injection instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If OAuth is enabled, the skill can read private bookmark data and post tweets using the authorized account until the token is revoked or expires.
The skill uses delegated X account credentials, including write permission and refresh-capable offline access, and stores resulting tokens locally.
Save tokens to `~/.openclaw/x/tokens.json` ... Scopes granted: `tweet.read`, `users.read`, `bookmark.read`, `tweet.write`, `offline.access`
Use the least-privileged X app permissions you need, protect files under ~/.openclaw/x, and revoke OAuth access if you stop using the skill.
A mistaken or over-permissive agent action could publish unintended content to the user’s X account.
The skill exposes a command that can create a public post on X. This is disclosed and aligned with the stated purpose, but it is a high-impact account action.
python3 {baseDir}/scripts/x.py post "Hello from OpenClaw! 🦞"Require explicit confirmation of the final tweet text before running post commands, and avoid granting tweet.write if you only need read-only features.
Private bookmarks or liked content may enter the agent conversation or be saved locally, where it could be reused or exposed if the file is shared.
The documentation shows private/bookmarked account data can be retrieved and written to a local file for later use.
python3 {baseDir}/scripts/x.py bookmarks --max 100 > bookmarks.txtOnly retrieve or export bookmarks when needed, store exported files carefully, and delete them when no longer required.
Users have less external context for who maintains the skill or where to verify updates.
The registry metadata does not identify an upstream source or homepage, which limits provenance verification for a credential-handling skill.
Source: unknown; Homepage: none
Review the included script before use and prefer installing credential-handling skills from a source you trust.