ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Engagement Pro

v1.2.0

Automates authentic engagement on X by monitoring AI image generation conversations, responding, amplifying content, and tracking metrics for brand growth.

0· 0·0 current·0 all-time
byClawPhilSledge@clawbuilder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code, README, SKILL.md, and skill.json all describe an X (Twitter) engagement tool and require X API credentials and optionally an Aligned News key — which is coherent with the stated purpose. However, the registry metadata at the top of this report lists no required environment variables or primary credential, which contradicts the skill.json/README/SKILL.md. That mismatch is unexplained and reduces trust.
Instruction Scope
SKILL.md and the code are focused on monitoring and posting on X and integrating Aligned News for Pro features. The agent's runtime instructions and code do not request unrelated system files or broad data collection. However, the agent uses exec to invoke an external 'xapi' CLI repeatedly; that means the skill's behavior depends on an external binary and could run arbitrary commands if that binary or PATH is tampered with.
Install Mechanism
This is instruction-plus-code with no install spec and no network download steps in the package. No archives are fetched and no third-party packages are installed by the skill itself. That minimizes install-time risk, but it assumes a trusted runtime environment (openclaw gateway and an 'xapi' CLI).
Credentials
Requiring an X API key and an optional Aligned News API key is proportionate to the skill's functionality (posting, reading, analytics). But the package metadata shown at the top (registry summary) claims no required env vars while skill.json/README/code require X_API_KEY and optionally ALIGNED_NEWS_API_KEY — an inconsistency that should be resolved before trusting the skill. Also confirm the minimum permissions/scopes requested for the X API key (read vs write).
Persistence & Privilege
The skill is not 'always: true' and is user-invocable. It does not request system-wide config changes or access to other skills' credentials. It operates within the agent context and does not require elevated or persistent platform privileges.
What to consider before installing
Before installing, verify the following: 1) Resolve the metadata mismatch — the registry summary claims no required env vars but skill.json/README/agent code require X_API_KEY (and optional ALIGNED_NEWS_API_KEY). Only proceed if the registry/package owner confirms this. 2) Inspect the referenced GitHub repo (skill.json/README point to github.com/notphilsledge/x-engagement-pro); confirm the repo and author identity and review recent commits. 3) Confirm the 'xapi' CLI the code execs is a trusted binary: verify its origin, that it's the expected X API client, and that your PATH can't be manipulated to point to a malicious replacement. 4) Limit the X API key's permissions to the minimum (prefer read/write scopes as required but avoid broad account scopes), and consider creating a dedicated account for automated engagement. 5) Run the skill in manual mode first (no auto-post) and in an isolated/test gateway to observe behavior and logs, confirming it does not leak credentials or call unexpected endpoints. 6) If you rely on the OpenClaw runtime's openclaw-tools.exec implementation, confirm whether it logs environment variables or passes them to other systems. 7) If you are not comfortable with these open questions (source verification, CLI trust, metadata inconsistency), treat the skill as untrusted until you can audit the repository and runtime environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk972wgfx9k7078xhk5w1zyd6yh84065y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

X Engagement Pro

Automated X (Twitter) engagement system for AI image generation brands. Build authority through genuine engagement with the AI art community.

Pricing

Free Tier

  • ✅ Basic monitoring
  • ✅ 5 target accounts
  • ✅ 5 keywords
  • ✅ Manual engagement mode
  • ❌ Auto-posting
  • ❌ Analytics
  • ❌ Aligned News integration
  • Posts per day: 10

Pro Tier — $9.99/month

  • ✅ Everything in Free
  • ✅ Unlimited target accounts
  • ✅ Unlimited keywords
  • ✅ Auto-posting
  • ✅ Full analytics dashboard
  • ✅ Aligned News API integration
  • ✅ Priority support
  • ✅ Custom prompt templates
  • ✅ Priority keyword alerts
  • Posts per day: Unlimited

Subscribe via ClawHub

What It Does (Free)

  • Monitors Firefly/AI image generation conversations
  • Engages authentically with creators and potential followers
  • Responds to questions with value-add answers
  • Amplifies quality content from the community

What It Does (Pro)

  • Everything in Free, plus:
  • Auto-post your generated images
  • Track engagement metrics over time
  • Get notified of trending keywords
  • Integrate with Aligned News for content discovery

Prerequisites

  • OpenClaw gateway running
  • X API credentials (configured via environment or config)
  • Aligned News API key (Pro only)

Usage

# Configure your X API credentials
openclaw config set channels.x.apiKey "your-x-api-key"

# Install the skill
clawhub install x-engagement-pro

Configuration

SettingFreePro
Target accounts5Unlimited
Keywords5Unlimited
Posts per day10Unlimited
Auto-post
Analytics
Aligned News

Author

NotPhilSledge — https://x.com/NotPhilSledge

Tags

x, twitter, engagement, ai, image-generation, firefly, adobe-firefly, social-media, marketing

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…