Kiro X Publisher
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent for X trend drafting, but it can use write-capable X credentials to publish tweets automatically on a persistent schedule.
Use this skill in search/draft mode first and avoid providing X write credentials unless you intend to publish. Do not run the cron setup unless you want ongoing automated public posts, and verify how to list and remove the cron job. Because the main pipeline source was truncated in the provided review artifact, inspect the complete script before using it on a real X account.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user runs the command with `--post`, the skill can publish content to the connected X account.
The skill documents a direct publish mode for X. Public account posting is a high-impact action, and the artifacts do not document a separate confirmation or review requirement before using this mode.
Post directly: ```bash python3 skills/kiro-x-hot-publisher/scripts/x_hot_pipeline.py \ --queries "AI,OpenAI,DeepSeek" \ --batch-size 10 \ --post ```
Use the non-posting mode by default, review the generated draft first, and only run `--post` after an explicit user approval step.
Once the cron job is created, the connected account may post a tweet every day until the schedule is removed or changed.
The setup script creates a persistent daily scheduled OpenClaw job whose message runs the pipeline with `--post`, meaning it is designed to continue publishing without a per-run user action.
CRON_EXPR="${X_HOT_CRON_EXPR:-0 9 * * *}" ... MESSAGE="Run: python3 skills/kiro-x-hot-publisher/scripts/x_hot_pipeline.py --queries '$SAFE_QUERIES' --batch-size $BATCH --post" ... cron add ... --message "$MESSAGE"Only run the cron setup if you intentionally want automated public posting; add clear removal instructions, an expiration/count limit, or a review-before-post workflow.
Providing all listed credentials gives the skill enough authority to post to the X account, not just read public search results.
The metadata requires write-capable X OAuth credentials even though the body describes publishing as optional, which can grant posting authority before it is needed for search-only use.
"env": ["X_BEARER_TOKEN", "X_API_KEY", "X_API_SECRET", "X_ACCESS_TOKEN", "X_ACCESS_TOKEN_SECRET"] ... Publish (optional, only when `--post`)
Split search-only and publishing modes so only `X_BEARER_TOKEN` is required for discovery, and request write-capable OAuth credentials only when the user explicitly enables posting.