Is klemenska/twitter-x-api safe?

Filesystem monitoring (inotifywait and auditd) recorded OPEN and ACCESS events on six sensitive credential files during the monitoring window. The first cluster occurred at audit timestamp 1771918262 — approximately 5 seconds before the SSH session was established and before the skill git clone began (1771918267). The second cluster at 1771918284 followed immediately after the audit system's file-scanning phase. This timing pattern is consistent with Oathe's own pre/post-install canary baseline checks. No network exfiltration was detected in correlation with these reads, and the canary integrity check passed. However, since the accessing process cannot be conclusively identified from the provided evidence, the finding is retained at MEDIUM severity for transparency.

The skill enables the agent to post tweets, reply to arbitrary tweet IDs, create threads, and send DMs to any user. While this is the skill's stated and legitimate purpose, it constitutes a high-impact social media actuator. A separately-compromised agent (e.g., via prompt injection from a malicious web page or document) could use this skill to post misinformation, send phishing DMs, or impersonate the user without their knowledge.

The dms subcommand retrieves the user's direct message events including sender IDs and message text. This data enters the agent's context window where it could be summarized, relayed, or inadvertently included in outputs. A manipulated agent could be instructed to forward DM contents to an attacker via a subsequent tweet, DM reply, or external API call made through another skill.

The post subcommand's --media argument accepts any file path and passes it directly to api.media_upload(filename=media_path). If an agent is manipulated into running tweet.py post with a crafted --media argument pointing to a sensitive file (e.g., ~/.ssh/id_rsa, .env), that file's contents would be uploaded to Twitter's media endpoint and associated with a tweet, effectively exfiltrating it to Twitter's servers.

tweet.py is a 300+ line executable Python script that makes authenticated requests to the Twitter API v2 and v1.1 endpoints. The code is clean and uses only the legitimate tweepy library, but inclusion of executable code requires trust in both the skill author and the upstream repository's integrity for all future commits.

The installation process clones the entire openclaw/skills monorepo (shallow, depth 1) and sparse-checks out only the target skill path. This is a normal and efficient pattern for a centralized skill registry. The implication is that this skill's supply chain trust is coupled to the overall openclaw/skills repository governance — a compromise of that repository's main branch would affect this and all other skills.

Full review of SKILL.md found only standard Twitter API documentation: credential setup instructions, a command reference table, workflow examples, rate limit tables, and error handling guidance. The {baseDir} template is a standard skill runner placeholder. No attempts to override system prompts, suppress output, impersonate another role, or chain behaviors were found.