TweetClaw
PassAudited by ClawScan on May 5, 2026.
Overview
TweetClaw is a coherent instruction-only guide for an X/Twitter automation plugin, but users should notice that the referenced plugin can use sensitive credentials, spend credits, post externally, and create recurring monitors when explicitly approved.
Before installing or using TweetClaw, verify the external @xquik/tweetclaw package source and only configure credentials you are comfortable granting. For every post, DM, profile change, paid extraction, draw, monitor, or webhook, confirm the exact target, content, cost, scope, storage/notification behavior, and how to stop recurring activity.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the referenced plugin could change an X/Twitter account, send messages, publish content, or spend credits after user approval.
The plugin can perform public, account-changing, paid, and recurring X/Twitter actions. This is purpose-aligned, and the guide adds explicit confirmation requirements.
Before any visible, state-changing, paid, or recurring action, summarize the exact target, account, action, text/media when relevant, and estimated credits, then wait for explicit user confirmation. This includes posting, replying, deleting, liking, retweeting, following, unfollowing, sending DMs, editing profiles, uploading media, creating webhooks, creating monitors, running draws, and starting extraction jobs.
Only approve actions after checking the exact account, target, content, media, cost, and whether the action is one-time or recurring.
A configured key may authorize account-backed workflows or paid read-only usage depending on mode.
The skill uses sensitive account/payment credentials, but the artifact discloses them and gives protective handling guidance.
XQUIK_API_KEY ... Optional Xquik API key for account-backed TweetClaw workflows. Prefer storing it in OpenClaw plugin config rather than exposing it to the agent session.; MPP_SIGNING_KEY ... Store as sensitive OpenClaw plugin config and never print it.
Store keys only in sensitive plugin configuration, avoid exposing them in chats or logs, and revoke or rotate them if accidentally revealed.
The actual installed plugin behavior cannot be fully verified from this instruction-only artifact alone.
The guide points users to install an external plugin, while the provided review context contains no code files for that plugin.
openclaw plugins install @xquik/tweetclaw
Verify the package source, publisher, version, and permissions before installing the external plugin.
Recurring or webhook-based workflows could send or retain social-media data outside the immediate chat flow.
Monitors, webhooks, and extraction jobs may store or notify about account-related data, but the guide instructs the agent to disclose storage and notification behavior before proceeding.
For bulk extraction, draw, or monitor requests, keep limits narrow by default. State the requested limit, estimated cost, and storage or notification behavior.
Ask where results are stored or sent, set narrow limits, and disable monitors/webhooks when no longer needed.
A monitor or webhook could continue running after setup if the user approves it.
The artifact supports recurring monitor/webhook behavior, which can persist beyond a single interaction, but it requires explicit confirmation.
Before any visible, state-changing, paid, or recurring action ... wait for explicit user confirmation. This includes ... creating webhooks, creating monitors ...
Confirm duration, scope, notification destination, and stop controls before approving recurring monitoring.