Automates the process of identifying trends on X (Twitter), generating opinionated/engaging content, and posting it. Use when asked to post to X, run X automation, or check trends for content creation.
Security Analysis
medium confidenceThe skill's instructions coherently describe browsing X and posting as the logged-in user, but it relies on implicit browser-session access and external notification paths that are not declared, creating surprising privileges and potential for misuse.
The skill's stated purpose (identify X trends, generate and post tweets) matches the SKILL.md instructions (use a browser to read timeline/trends and post). However, no credentials or API tokens are declared — the design implicitly depends on an authenticated Chrome session (OpenClaw extension) to perform posting. That implicit dependency is plausible but not explicitly declared, which is a mismatch users should know about.
Runtime instructions direct the agent to open the user's X timeline, read many posts, analyze top tweets, compose opinionated content, and perform an authenticated 'Post' action. This grants the skill the ability to act as the user (post publicly) and to read user-specific, potentially private feed content. The SKILL.md also requires notifying the user via 'primary channel (Telegram/Webchat)' without declaring how to access those channels. The agent is given broad, high-impact actions (posting on the user's behalf) that must be clearly consented to by the human operator.
Instruction-only skill with no install spec and no code files — lowest installation risk. Nothing is downloaded or written to disk by an installer.
The skill declares no required environment variables or credentials but expects access to an authenticated Chrome session and to external notification channels. Those are effectively credentials (browser cookies/session) and messaging endpoints that are not listed in requires.env. The absence of explicit credentials is not malicious by itself, but it hides the fact that the skill expects an authenticated browser context and unspecified notification hooks.
always:false and user-invocable:true — normal. The skill writes candidate drafts and logs to memory (memory/x-daily-candidates.log, memory/x-automation-logs.md), which is expected for this workflow. Be aware that stored drafts and logs may contain sensitive data and will persist in agent memory unless the user clears them.
Guidance
Before installing, understand that this skill automates actions as your logged-in X account by using a connected Chrome session (OpenClaw extension). That means it can read your timeline and post publicly on your behalf — a significant privilege. The skill does not declare any API keys or notification credentials yet references Telegram/Webchat notifications, so ask the author how notifications are implemented. Recommendations: 1) Only enable this if you trust the skill source (source/homepage unknown). 2) Require a human confirmation step before any post (do not allow fully autonomous posting). 3) Verify and limit the OpenClaw extension/tab permissions and ensure the browser session you expose is appropriate. 4) Audit and periodically clear the memory/log files the skill writes (drafts, logs). 5) If you need notifications, require explicit, documented webhook/credential configuration (and do not embed secrets in memory). 6) Prefer running in a disposable/sandboxed account until you’re comfortable with behavior. If you want more assurance, request the skill author to declare required env vars, provide a source repo/homepage, and add an explicit 'ask before posting' step in SKILL.md.
Latest Release
v1.0.0
Initial release of x-automation skill. - Automates trend identification on X (Twitter) and content generation based on trending topics. - Analyzes top tweets per trend and generates bold, opinionated candidate posts. - Posts selected content to X and notifies the user of success or failure. - Logs candidate tweets and errors for review and troubleshooting.
More by @harshhmaniya
Published by @harshhmaniya on ClawHub
