← Back to Skills Marketplace
X Engagement Pro
by
ClawPhilSledge
· GitHub ↗
· v1.2.0
· MIT-0
100
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install x-engagement-pro
Description
Automates authentic engagement on X by monitoring AI image generation conversations, responding, amplifying content, and tracking metrics for brand growth.
Usage Guidance
Before installing, verify the following: 1) Resolve the metadata mismatch — the registry summary claims no required env vars but skill.json/README/agent code require X_API_KEY (and optional ALIGNED_NEWS_API_KEY). Only proceed if the registry/package owner confirms this. 2) Inspect the referenced GitHub repo (skill.json/README point to github.com/notphilsledge/x-engagement-pro); confirm the repo and author identity and review recent commits. 3) Confirm the 'xapi' CLI the code execs is a trusted binary: verify its origin, that it's the expected X API client, and that your PATH can't be manipulated to point to a malicious replacement. 4) Limit the X API key's permissions to the minimum (prefer read/write scopes as required but avoid broad account scopes), and consider creating a dedicated account for automated engagement. 5) Run the skill in manual mode first (no auto-post) and in an isolated/test gateway to observe behavior and logs, confirming it does not leak credentials or call unexpected endpoints. 6) If you rely on the OpenClaw runtime's openclaw-tools.exec implementation, confirm whether it logs environment variables or passes them to other systems. 7) If you are not comfortable with these open questions (source verification, CLI trust, metadata inconsistency), treat the skill as untrusted until you can audit the repository and runtime environment.
Capability Analysis
Type: OpenClaw Skill
Name: x-engagement-pro
Version: 1.2.0
The skill contains critical shell injection vulnerabilities in `agents/engagement-agent.js` where user-defined keywords and external data from the X API (post IDs) are directly interpolated into shell commands via the `exec` function (e.g., `xapi search --query "${kw}"` and `xapi reply --id ${post.id}`). While these flaws could allow for Remote Code Execution (RCE) if an attacker influences the input, there is no evidence of intentional malice, data exfiltration, or backdoors. The code's logic remains consistent with its stated purpose of automating social media engagement.
Capability Assessment
Purpose & Capability
The code, README, SKILL.md, and skill.json all describe an X (Twitter) engagement tool and require X API credentials and optionally an Aligned News key — which is coherent with the stated purpose. However, the registry metadata at the top of this report lists no required environment variables or primary credential, which contradicts the skill.json/README/SKILL.md. That mismatch is unexplained and reduces trust.
Instruction Scope
SKILL.md and the code are focused on monitoring and posting on X and integrating Aligned News for Pro features. The agent's runtime instructions and code do not request unrelated system files or broad data collection. However, the agent uses exec to invoke an external 'xapi' CLI repeatedly; that means the skill's behavior depends on an external binary and could run arbitrary commands if that binary or PATH is tampered with.
Install Mechanism
This is instruction-plus-code with no install spec and no network download steps in the package. No archives are fetched and no third-party packages are installed by the skill itself. That minimizes install-time risk, but it assumes a trusted runtime environment (openclaw gateway and an 'xapi' CLI).
Credentials
Requiring an X API key and an optional Aligned News API key is proportionate to the skill's functionality (posting, reading, analytics). But the package metadata shown at the top (registry summary) claims no required env vars while skill.json/README/code require X_API_KEY and optionally ALIGNED_NEWS_API_KEY — an inconsistency that should be resolved before trusting the skill. Also confirm the minimum permissions/scopes requested for the X API key (read vs write).
Persistence & Privilege
The skill is not 'always: true' and is user-invocable. It does not request system-wide config changes or access to other skills' credentials. It operates within the agent context and does not require elevated or persistent platform privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install x-engagement-pro - After installation, invoke the skill by name or use
/x-engagement-pro - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
Fixed security flags - added source repo, declared env vars, added agent code
v1.1.0
Added pricing - Free tier with limits, Pro at .99/month
v1.0.0
Initial release - X engagement system for AI image generation brands
Metadata
Frequently Asked Questions
What is X Engagement Pro?
Automates authentic engagement on X by monitoring AI image generation conversations, responding, amplifying content, and tracking metrics for brand growth. It is an AI Agent Skill for Claude Code / OpenClaw, with 100 downloads so far.
How do I install X Engagement Pro?
Run "/install x-engagement-pro" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is X Engagement Pro free?
Yes, X Engagement Pro is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does X Engagement Pro support?
X Engagement Pro is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created X Engagement Pro?
It is built and maintained by ClawPhilSledge (@clawbuilder); the current version is v1.2.0.
More Skills