ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

twitter-aisa-api

v1.0.1

Search and read Twitter/X profiles, tweets, trends, and Spaces via AISA relay, then publish posts with OAuth and approved media files using AISA_API_KEY.

0· 58·0 current·0 all-time
by@bibaofeng
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentialsPosts externally
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, SKILL.md, and Python clients are coherent: they implement read APIs and OAuth-based posting via the AISA relay (api.aisa.one). Requiring an AISA_API_KEY and python3 is proportionate to the stated capability. However, the registry-level top summary lists no required env vars or bins while SKILL.md and the scripts require AISA_API_KEY and python3 — this packaging/metadata mismatch is unexpected.
Instruction Scope
Runtime instructions in SKILL.md and references/post_twitter.md are scoped to searching, reading, and publishing via the relay. They explicitly require OAuth approval for posting, restrict media uploads to user-provided workspace files, and advise returning an authorization URL rather than collecting passwords or cookies. The scripts only reference workspace file paths for media and the AISA_API_KEY env var.
Install Mechanism
No install spec is provided (instruction-only packaging), and included code files are present in the bundle — nothing is downloaded from external URLs during install. This is low-install risk, but you should verify the included scripts before running.
!
Credentials
The code and SKILL.md require AISA_API_KEY (and the SKILL.md metadata lists python3). That single API key is proportionate to the skill's purpose. The concern is that the registry metadata at the top of the bundle incorrectly lists no required env vars or primary credential, which could cause accidental omission of required secrets by operators or mask the need to supply the API key. No other unrelated credentials are requested by the code.
Persistence & Privilege
The skill is not forced always-on (always: false) and uses normal autonomous invocation. SKILL.md claims no home-directory persistence or cookie scraping; the provided code appears to follow a relay/OAuth flow. You should still verify whether OAuth tokens are stored locally by the oauth client (not fully shown in truncated source) before trusting persistent behavior.
What to consider before installing
This package is generally coherent with its stated purpose (reads and posts via the AISA relay), but the top-level registry metadata does not list the required AISA_API_KEY or python3 even though SKILL.md and the scripts require them. Before installing or enabling: 1) verify the AISA_API_KEY comes from a trusted AISA operator and that you understand the key's permissions; 2) review the included scripts (twitter_oauth_client.py) for where OAuth tokens are stored or cached (ensure they are not silently written to unexpected locations); 3) be aware that publishing will upload any provided workspace media to https://api.aisa.one (the relay) and that network calls occur; 4) test in a sandboxed environment if possible; and 5) request the publisher to correct registry metadata so required env vars and binaries are declared. If you cannot confirm the relay operator or token handling, do not install or run the skill with real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b4swhr6pq4cn1f7tf4map7h84w99m
58downloads
0stars
2versions
Updated 4d ago
v1.0.1
MIT-0
@bibaofeng
latest
Download

AISA Twitter API

Runtime-focused release bundle for Twitter/X search and posting through the AISA relay.

When to use

  • The user wants to read profiles, timelines, mentions, followers, tweet search results, trends, lists, communities, or Spaces.
  • The user wants to draft or publish posts after completing OAuth without sharing passwords.
  • The task needs a Python client for repeatable Twitter/X automation backed by AISA_API_KEY.

When NOT to use

  • The user needs cookie extraction, browser credential scraping, or direct password login.
  • The workflow must avoid sending requests, OAuth state, or approved media through api.aisa.one.
  • The request is for likes, follows, or other engagement actions not covered by this package.

Quick Reference

  • Required env: AISA_API_KEY
  • Read client: ./scripts/twitter_client.py
  • Post workflow guide: ./references/post_twitter.md

Setup

export AISA_API_KEY="your-key"

All network calls go to https://api.aisa.one/apis/v1/....

Capabilities

  • Read user data, timelines, mentions, followers, followings, verified followers, and follow relationships.
  • Search tweets and users, inspect replies, quotes, retweeters, thread context, and Spaces.
  • Publish text, image, and video posts after explicit OAuth approval.
  • Split long posts into threaded chunks when the publish script needs it.

Common Commands

python3 {baseDir}/scripts/twitter_client.py user-info --username elonmusk
python3 {baseDir}/scripts/twitter_client.py search --query "AI agents" --type Latest
python3 {baseDir}/scripts/twitter_client.py trends --woeid 1
python3 {baseDir}/scripts/twitter_oauth_client.py status
python3 {baseDir}/scripts/twitter_oauth_client.py authorize
python3 {baseDir}/scripts/twitter_oauth_client.py post --text "Hello from OpenClaw"

Posting Workflow

When the user asks to send, publish, reply, or quote on X/Twitter, follow ./references/post_twitter.md.

  • Return the authorization link first when posting is not yet approved.
  • Use --media-file only for user-provided workspace files.
  • Do not invent captions, remote URLs, or extra media attachments.

ClawHub Suspicious Review Notes

These points summarize the common reasons similar skills are marked Suspicious and how this release addresses them:

  • The package is relay-based: read calls, OAuth requests, and approved media uploads go to api.aisa.one.
  • The package is API-key-first: it requires AISA_API_KEY and does not ask for passwords, cookies, CT0, or other legacy secrets.
  • The release bundle is runtime-only: it keeps SKILL.md, scripts/, and the posting reference, while omitting non-runtime files such as README.md and _meta.json.
  • The package does not include cache sync, self-install logic, home-directory persistence, browser-cookie extraction, or external agent CLI wrappers.
  • Browser opening is optional and not the default workflow; returning the authorization link is the preferred path for OpenClaw.

Release Bundle Notes

  • scripts/twitter_client.py preserves the read API surface from the original bundle.
  • scripts/twitter_oauth_client.py preserves OAuth and posting behavior from the original bundle.
  • This package is optimized for publication metadata and upload safety, not for changing runtime logic.

Comments

Loading comments...