Production-ready Twitter/X data and automation for autonomous agents
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised, misused, or over-trusted provider flow could access, misuse, or get banned the Twitter/X account used for write operations.
The login method packages Twitter account and proxy credentials and sends them to the AIsa API, granting a third party credential-level account access rather than a narrow scoped token.
BASE_URL = "https://api.aisa.one/apis/v1" ... "email": email, "password": password, "proxy": proxy ... return self._request("POST", "/twitter/user_login_v3", data=data)Prefer read-only functions. If write access is necessary, use only a dedicated automation account with a unique password, review the provider carefully, rotate credentials, and prefer scoped OAuth-style access where possible.
An agent or user mistake could publish unwanted content, like or retweet inappropriate posts, alter a profile, damage reputation, or trigger account enforcement.
The skill exposes operations that can mutate a public social-media account. The warnings are clear, but the provided artifacts do not show a built-in confirmation or policy gate for these high-impact actions.
Write Operations (Authentication Required - High Risk) - Post tweets - Like tweets - Retweet - Update profile
Require explicit user approval for every write action, limit which accounts and actions are allowed, add rate limits and dry-run modes, and keep read-only operations as the default.
Users may under-protect the AIsa API key if they read the read-only mode as completely credential-free.
The skill also requires AISA_API_KEY and shows Authorization bearer headers elsewhere, so this wording should be understood as no Twitter credentials, not no credentials at all.
Read Operations (SAFE - Recommended for Most Users) ... No authentication required ... No credentials transmitted
Clarify documentation to say that read operations require the AIsa API key but do not require Twitter login credentials, and advise users to protect and rotate the API key.
If run from the wrong directory, it could delete unrelated local build, cache, IDE, log, or temporary files.
The optional cleanup script recursively deletes files and directories matching common cache, build, IDE, and temporary-file patterns from the current directory.
find . -name "$pattern" -type f -delete ... find . -type d -name "$pattern" -exec rm -rf {} +Run the cleanup script only inside a disposable copy of the package directory after reviewing it, and do not run it from a broader project or home directory.