Twitter Command Center
Bundle plugin: Twitter/X search, monitoring, and OAuth posting via AIsa endpoints
@aisa/twitter-command-center · runtime id @aisa/twitter-command-center
Install
openclaw bundles install clawhub:@aisa/twitter-command-centerLatest Release
Version 0.1.0
Compatibility
{
"builtWithOpenClawVersion": "0.1.0"
}Capabilities
{
"bundleFormat": "generic",
"capabilityTags": [
"bundle-only",
"format:generic",
"host:openclaw"
],
"executesCode": false,
"hostTargets": [
"openclaw"
],
"runtimeId": "@aisa/twitter-command-center"
}Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md implement Twitter/X read and OAuth-posting via https://api.aisa.one, which matches the name/description. However the top-level registry metadata (provided with this evaluation) listed no required env vars while the SKILL.md and twitter_client.py both require AISA_API_KEY; package/plugin files also show inconsistent licensing/homepage info. These packaging inconsistencies reduce trust and are unexplained.
Instruction Scope
Runtime instructions are narrowly scoped to calling AIsa read endpoints (GET with Authorization: Bearer $AISA_API_KEY) and using the AIsa OAuth relay for posting (POSTs that include aisa_api_key in the JSON body). The instructions do not demand extra files, system credentials, or password harvesting and explicitly forbid asking for Twitter passwords. The notable point: posting flows require sending your AISA_API_KEY in the POST body to the relay — this is expected for this relay design but is sensitive (it transmits your API key to a third party).
Install Mechanism
No install spec is provided (instruction-only), so nothing is automatically downloaded or executed beyond the included Python script. Risk from installation is low, but the package does include an executable script (twitter_client.py) which will run network requests when invoked.
Credentials
Only one credential (AISA_API_KEY) is required, which is proportionate to accessing a third‑party API. However: (1) the top-level metadata in the registry reported no required env vars while the SKILL.md declares AISA_API_KEY as primaryEnv — an inconsistency; and (2) the skill instructs including the API key in JSON POST bodies to api.aisa.one (credential-in-body). You must trust the remote operator (aisa.one) because that key will be transmitted and used by their relay.
Persistence & Privilege
The skill does not request always:true or any elevated persistent privileges. It does not modify other skills or system-wide configs. Autonomous invocation is allowed (platform default) but not combined with other alarming privileges.
What to consider before installing
What to check before you install: 1) Confirm you trust api.aisa.one / AIsa Team — the skill will send your AISA_API_KEY to that domain (Authorization header for GETs and aisa_api_key in POST bodies for the OAuth relay). 2) Be aware of metadata mismatches: the SKILL.md and python client require AISA_API_KEY, but the provided registry summary omitted that; plugin/package files also have inconsistent homepage/license values — these are signs of sloppy packaging or an unofficial build. 3) If you plan to use posting, open the OAuth URL in a browser as instructed (the skill explicitly says not to ask for Twitter passwords). 4) Prefer to obtain the skill from a verifiable source (official repo or homepage) and inspect the repo (or ask the maintainer) to resolve the licensing/metadata discrepancies. 5) If you proceed, use a dedicated/rotatable AISA_API_KEY with limited scope if possible, and revoke/rotate it if you later stop trusting the provider. Additional info that would raise confidence to 'benign': authoritative repository link, consistent registry metadata, maintainer identity verification, and a clear privacy/security statement from aisa.one about how they store/use API keys.Verification
{
"scanStatus": "pending",
"scope": "artifact-only",
"summary": "Validated package structure and extracted metadata.",
"tier": "structural"
}Tags
{
"latest": "0.1.0"
}