ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

x-intelligence-automation-aisa

v1.0.0

Search and engage with Twitter/X profiles, tweets, trends, and perform authorized posting, liking, and following via the AISA relay using OAuth and API key.

0· 37·0 current·0 all-time
by@bibaofeng
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentialsPosts externally
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md, and included Python scripts align: they implement read, OAuth-based posting, and engagement through the AISA relay. However, the registry-level summary at the top of the package (provided metadata) incorrectly lists no required env vars or primary credential while the SKILL.md and scripts require AISA_API_KEY — an incoherence that could mislead users.
Instruction Scope
Runtime instructions and reference docs limit behavior to searching, read APIs, OAuth authorization flows, posting, liking, following, and uploading workspace attachments. They explicitly forbid asking for passwords or cookie extraction and recommend returning an authorization link instead of auto-opening a browser (browser open is optional).
Install Mechanism
No install spec is provided (instruction-plus-scripts bundle). No downloads or installers are invoked; risk is limited to the included Python scripts being executed in the agent environment.
!
Credentials
The code and SKILL.md legitimately require a single credential, AISA_API_KEY, which is appropriate for a relay-based service. The concern is the registry-level metadata omitted this requirement — that mismatch could hide the need to provide a secret. Also note that AISA_API_KEY grants the relay authority to perform actions (reads/writes/uploads) on behalf of the agent; users should verify the key's origin and trust the relay operator.
Persistence & Privilege
The skill does not request always: true, doesn't claim system-wide changes, and the SKILL.md discourages local home-directory persistence or cookie extraction. It may open a browser optionally per user request but otherwise returns authorization URLs.
What to consider before installing
This package implements a relay-based Twitter/X client that sends reads, OAuth flows, posts, likes, follows, and media uploads to https://api.aisa.one and requires you to set AISA_API_KEY. Before installing: (1) confirm the registry metadata omission — the skill does require AISA_API_KEY even though some registry fields say none, (2) only provide an AISA_API_KEY you trust and understand that the relay operator will see post content, attachments, and posting privileges, (3) review the included Python scripts if possible (they are bundled) to ensure behavior matches your expectations, and (4) if you need stronger guarantees, prefer a skill backed by a known homepage/owner or run your own local client instead of a third‑party relay.

Like a lobster shell, security has layers — review code before you run it.

latestvk972ajzewdndajvnn8fdf82jax84xbqk
37downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
@bibaofeng
latest
Download

X Intelligence Automation

Runtime-focused release bundle for Twitter/X search, posting, and engagement through the AISA relay.

When to use

  • The user wants Twitter/X research plus posting, liking, unliking, following, or unfollowing workflows.
  • The task can use a Python client with AISA_API_KEY and explicit OAuth approval.
  • The workflow needs a single package that covers read, post, and engagement actions.

When NOT to use

  • The user needs cookie extraction, password login, or a fully local Twitter client.
  • The workflow must avoid relay-based network calls or media upload through api.aisa.one.
  • The task needs undocumented secrets or browser-derived auth values.

Quick Reference

  • Required env: AISA_API_KEY
  • Read client: ./scripts/twitter_client.py
  • Post client: ./scripts/twitter_oauth_client.py
  • Engage client: ./scripts/twitter_engagement_client.py
  • References: ./references/post_twitter.md, ./references/engage_twitter.md

Setup

export AISA_API_KEY="your-key"

All network calls go to https://api.aisa.one/apis/v1/....

Capabilities

  • Read user, tweet, trend, list, community, and Spaces data.
  • Publish text, image, and video posts after explicit OAuth approval.
  • Like, unlike, follow, and unfollow through the engagement client once authorization exists.
  • Reuse OpenClaw context instead of local file-based conversation persistence.

Common Commands

python3 {baseDir}/scripts/twitter_client.py search --query "AI agents" --type Latest
python3 {baseDir}/scripts/twitter_oauth_client.py authorize
python3 {baseDir}/scripts/twitter_oauth_client.py post --text "Hello from OpenClaw"
python3 {baseDir}/scripts/twitter_engagement_client.py like-latest --user "@elonmusk"
python3 {baseDir}/scripts/twitter_engagement_client.py follow-user --user "@elonmusk"

Posting and Engagement Workflow

  • Use ./references/post_twitter.md for post, reply, quote, and media-upload actions.
  • Use ./references/engage_twitter.md for likes, unlikes, follows, and unfollows.
  • Obtain OAuth authorization before any write action.

ClawHub Suspicious Review Notes

These points summarize the common reasons similar skills are marked Suspicious and how this release addresses them:

  • The package is relay-based: read calls, OAuth requests, engagement actions, and approved media uploads go to api.aisa.one.
  • The package is API-key-first: it requires AISA_API_KEY and does not ask for passwords, cookies, CT0, or other legacy secrets.
  • The release bundle is runtime-only: it keeps SKILL.md, scripts/, and the required references, while omitting non-runtime files such as README.md and _meta.json.
  • The package does not include cache sync, self-install logic, home-directory persistence, browser-cookie extraction, or external agent CLI wrappers.
  • Browser opening is optional and not the default workflow; returning the authorization link is the preferred path for OpenClaw.

Release Bundle Notes

  • scripts/twitter_client.py preserves the read API surface from the original bundle.
  • scripts/twitter_oauth_client.py preserves OAuth and posting behavior from the original bundle.
  • scripts/twitter_engagement_client.py preserves like, unlike, follow, and unfollow behavior from the original bundle.
  • This package is optimized for publication metadata and upload safety, not for changing runtime logic.

Comments

Loading comments...