X Twitter
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent X/Twitter API helper, but it uses read/write account credentials and can perform public account actions, so install it only if you want that authority.
Before installing, understand that this skill can use your X/Twitter credentials to create, delete, like, and retweet content from your account. Store the credentials securely, rotate tokens when needed, and confirm every public or account-changing action before allowing the agent to run it.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked on an ambiguous or mistaken request, the agent could post, delete, like, or retweet from the user's X account.
The skill exposes public/account-changing X actions through inline API calls. This is expected for an X/Twitter manager, but these actions can affect the user's public account.
Constructs and executes X API v2 calls inline based on what the user wants. ... Post a tweet ... Delete a tweet ... Like a tweet ... Retweet
Use explicit prompts and require confirmation before any write, delete, like, or retweet action; use read-only credentials if only search or analytics are needed.
Anyone who can access or misuse these credentials could act through the connected X account within the granted permissions.
The skill uses sensitive X API and access-token credentials from a local file. This is disclosed and aligned with the integration, but it grants delegated account authority.
"primaryCredential": { ... "path": "~/.config/x-twitter/credentials.json", ... "fields": ["X_API_KEY", "X_API_SECRET", "X_ACCESS_TOKEN", "X_ACCESS_SECRET"], ... "sensitive": true }Grant the minimum X app permissions needed, protect the credentials file with restrictive permissions, and rotate access tokens if the host or file may be compromised.