Wip Xai X Private
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real X/Twitter API wrapper, but it gives an agent account-write and local-file-upload powers through OAuth/1Password credentials with limited built-in safeguards.
Install only if you intentionally want an agent to access your X account. Prefer read-only credentials unless posting is required, require manual approval for posting/deleting/uploading, restrict media upload paths, and verify the exact 1Password item or environment variables being used.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled for an autonomous agent, the agent could post or delete tweets from the connected X account without a separate safeguard in this skill.
The MCP handler directly executes public account-mutation tools when called, and the artifacts do not show an in-tool confirmation step or scoped approval policy.
case 'x_post_tweet':
result = await post_tweet(params);
...
case 'x_delete_tweet':
result = await delete_tweet(params);Enable write tools only with explicit user approval policies, or separate read-only and write-capable configurations.
A connected agent could attempt to read and upload any file the process can access if it supplies that path.
The upload tool reads a caller-supplied local file path and sends the data to X as media, with no path restriction or user-selection guard shown.
const buffer = readFileSync(file_path);
data = buffer.toString('base64');
...
const result = await client.media.upload({ body });Restrict uploads to user-selected media files, validate MIME/type and path, and require confirmation before transmitting local files.
Installing and enabling the skill can give an agent delegated authority over the user's X account, including private bookmarks and public write actions.
The skill automatically resolves X credentials from environment variables or a local 1Password item, including OAuth tokens that enable read/write account access.
const OP_ITEM = process.env.X_OP_ITEM || 'X API Key - wip-01';
...
bearerToken: process.env.X_BEARER_TOKEN || opRead('bearer token'),
...
accessTokenSecret: process.env.X_ACCESS_TOKEN_SECRET || opRead('access token secret')Use least-privilege credentials, prefer a read-only bearer token when possible, set the intended 1Password item explicitly, and consider a separate X account for agent use.
Normal use should only call the local 1Password CLI, but unsafe shell construction is more fragile than direct argument execution.
The shell execution is limited to 1Password credential retrieval, but it constructs a shell command from configurable vault/item values.
return execSync(`op read "${ref}" 2>/dev/null`, { encoding: 'utf8' }).trim() || null;Replace execSync shell strings with execFile/spawn and argument arrays, and sanitize or reject quotes/control characters in vault and item names.
Any trusted agent process connected to this MCP server may be able to call read/write X tools and receive private account data such as bookmarks.
The skill exposes its X tools through a local MCP stdio server; authorization and approval boundaries depend on the MCP host.
const transport = new StdioServerTransport(); await server.connect(transport);
Only attach this MCP server to trusted clients, and configure host-level approvals for write and upload tools.
A user relying on the registry summary could underestimate the account permissions needed by the skill.
The registry-level metadata under-declares credentials/capabilities even though SKILL.md and code require X tokens for meaningful use.
Required env vars: none Env var declarations: none Primary credential: none ... Capability signals No capability tags were derived.
Declare X bearer/OAuth credentials and read/write social-account capabilities in registry metadata.