Twitter Automation
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is openly for Twitter/X automation, but it gives an agent broad ability to post, delete, DM, follow, and otherwise act on your account without clear approval guardrails.
Review this skill carefully before installing. It appears purpose-aligned for Twitter/X automation, but you should require explicit confirmation for every post, delete, DM, follow, like, or retweet, verify the CLI installer, and understand what account permissions inference.sh receives.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used too freely, an agent could make public posts, send private messages, follow users, or delete tweets in a way that affects your reputation or account history.
The skill authorizes broad use of the inference.sh CLI and documents commands that can mutate a Twitter/X account. The artifact does not add approval requirements before posting, deleting, DMing, following, liking, or retweeting.
allowed-tools: Bash(infsh *) ... | Delete Post | `x/post-delete` | Delete a tweet | ... | Send DM | `x/dm-send` | ... | Follow User | `x/user-follow` |
Only use this skill with explicit per-action confirmation. Review exact tweet text, media, recipient IDs, tweet IDs, and target accounts before allowing any mutating command.
A connected account could be used for sensitive delegated actions, including public engagement and private DMs.
The skill requires login to a service that can act on the user's Twitter/X account, while the reviewed metadata declares no primary credential or permission scope. The artifacts do not bound which account powers may be used.
curl -fsSL https://cli.inference.sh | sh && infsh login ... Capabilities: post tweets, schedule content, like posts, retweet, send DMs, follow users
Use a dedicated or limited-scope account where possible, verify the X integration permissions in inference.sh, and revoke tokens when finished.
You are trusting the remote inference.sh installer and distribution endpoint during setup.
The setup path downloads and runs a remote installer that is not included in the reviewed artifact set. The skill states that checksums are verified, but the installer itself was not available for this review.
curl -fsSL https://cli.inference.sh | sh && infsh login
Prefer the documented manual install and checksum verification path, and install only from the official inference.sh source.
Private messages or unpublished post content may be processed by the external automation provider and X.
DM text, tweet text, recipient IDs, tweet IDs, and media URLs are sent through the inference.sh CLI/provider path to perform X actions. This is expected for the integration, but it is still a sensitive data flow.
infsh app run x/dm-send --input '{
"recipient_id": "user_id_here",
"text": "Hey! Thanks for the follow."
}'Do not send confidential DMs, private media URLs, or sensitive account data through the skill unless you trust the provider and understand its data handling.