X Growth Automation
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If live mode is enabled, mistakes or unwanted drafts could be posted publicly from the user's account.
The skill can configure automation that posts publicly through the user's X account. The same instructions disclose safety controls, so this is purpose-aligned but important for users to notice.
Treat X API as **write/publish layer**. ... Keep publish disabled by default unless the user explicitly asks for live publishing.
Start in dry-run, review generated drafts and schedules, set conservative daily/monthly caps, and enable live publishing only after explicit approval.
Anyone who obtains these credentials could potentially access or post through the connected X account, depending on token scope.
The scaffold prepares placeholders for X API credentials and session-style tokens. These are expected for X/Bird automation, but they are high-value account credentials.
X_API_KEY= X_API_SECRET= X_ACCESS_TOKEN= X_ACCESS_TOKEN_SECRET= AUTH_TOKEN= CT0=
Use least-privilege X API credentials, avoid pasting secrets into chat, store them only in a local .env or secret manager, and rotate them if exposed.
If pointed at an existing project, the script can overwrite scaffolded files such as README.md and config files.
The scaffold script writes files into the user-supplied target path. This is central to the skill's purpose and is disclosed, but the target directory should be chosen carefully.
root = Path(args.path)
root.mkdir(parents=True, exist_ok=True)
write(root / "README.md", README)Use a new empty folder unless intentionally adapting an existing repository, and review changes before committing or running any generated automation.