Discover hot topics on X, enrich tweets one-by-one, score and summarize signals, generate one tweet draft, and optionally publish on schedule.
Security Analysis
medium confidenceThe skill's code, scripts, and instructions are consistent with its stated purpose (discovering, summarizing, drafting, and optionally posting X tweets), but there are a few minor mismatches and privacy trade‑offs you should review before installing.
Name/description match the included code: search via X API, enrich via FxTwitter, score/summarize, draft one tweet, and optionally post via OAuth 1.0a. However, registry metadata lists all OAuth keys as required even though the SKILL.md and scripts indicate posting is optional (search only needs X_BEARER_TOKEN). Also setup_cron.sh invokes a Node binary (openclaw.mjs) but the declared required binaries list only python3.
SKILL.md directs running included Python scripts; the code only uses X API and fxTwitter for enrichment and writes outputs to ./outputs/x-hot/. It does not read arbitrary system files. The enrichment step sends tweet URLs/content to api.fxtwitter.com — a third-party endpoint mentioned in the docs. The cron installer runs openclaw.mjs (via node) to register jobs, which is reasonable but not declared in required binaries.
There is no external download/install step; the package is instruction-and-script based with Python files included. No archive downloads or execution of remote code are performed by the provided scripts.
The skill requires X API credentials to post and a bearer token to search. This is proportional to functionality, but the registry declares all five X_* env vars as required while the documentation correctly marks four of them as optional (only needed when --post). Confirm whether the platform will require you to provide all keys or allows search-only operation with only X_BEARER_TOKEN.
always is false and the skill does not request elevated or platform-wide persistent privileges. setup_cron.sh can register a scheduled job via openclaw.mjs (uses an OpenClaw CLI), which is a normal installer behavior and scoped to scheduling this skill's run.
Guidance
This skill appears to do what it says: it searches X, optionally enriches via FxTwitter, ranks items, drafts a single tweet, and can post if you supply OAuth keys. Before installing: (1) If you do not want it to post, do not provide the OAuth keys (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET) — only X_BEARER_TOKEN is needed for search. Note the registry metadata currently lists all keys as required, so confirm the platform won't force you to supply them. (2) The setup cron script invokes openclaw.mjs via a Node binary; ensure node is available or skip the cron setup. (3) Enrichment uses api.fxtwitter.com (third party) — tweets/URLs sent to that endpoint may be seen by that service; review privacy implications. (4) The scripts write a .env.template to a local skill workspace; place and protect any real credentials you add. (5) Test in search-only mode first (no --post) and review outputs before enabling scheduled posting. If you want stronger assurance, request confirmation from the publisher (kiroai.io) about why registry metadata requires all OAuth env vars and whether cron setup requires node.
Latest Release
v1.1.0
- Renamed the skill to "kiro-x-hot-publisher". - Added `scripts/install_and_init.py` for improved setup and initialization. - Removed `README.md`. - Updated documentation: improved quick start instructions, now referencing the new script. - Minor metadata and naming updates.
More by @Vmining
Published by @Vmining on ClawHub
