← 返回 Skills 市场
X Engagement Pro
作者
ClawPhilSledge
· GitHub ↗
· v1.2.0
· MIT-0
100
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install x-engagement-pro
功能描述
Automates authentic engagement on X by monitoring AI image generation conversations, responding, amplifying content, and tracking metrics for brand growth.
安全使用建议
Before installing, verify the following: 1) Resolve the metadata mismatch — the registry summary claims no required env vars but skill.json/README/agent code require X_API_KEY (and optional ALIGNED_NEWS_API_KEY). Only proceed if the registry/package owner confirms this. 2) Inspect the referenced GitHub repo (skill.json/README point to github.com/notphilsledge/x-engagement-pro); confirm the repo and author identity and review recent commits. 3) Confirm the 'xapi' CLI the code execs is a trusted binary: verify its origin, that it's the expected X API client, and that your PATH can't be manipulated to point to a malicious replacement. 4) Limit the X API key's permissions to the minimum (prefer read/write scopes as required but avoid broad account scopes), and consider creating a dedicated account for automated engagement. 5) Run the skill in manual mode first (no auto-post) and in an isolated/test gateway to observe behavior and logs, confirming it does not leak credentials or call unexpected endpoints. 6) If you rely on the OpenClaw runtime's openclaw-tools.exec implementation, confirm whether it logs environment variables or passes them to other systems. 7) If you are not comfortable with these open questions (source verification, CLI trust, metadata inconsistency), treat the skill as untrusted until you can audit the repository and runtime environment.
功能分析
Type: OpenClaw Skill
Name: x-engagement-pro
Version: 1.2.0
The skill contains critical shell injection vulnerabilities in `agents/engagement-agent.js` where user-defined keywords and external data from the X API (post IDs) are directly interpolated into shell commands via the `exec` function (e.g., `xapi search --query "${kw}"` and `xapi reply --id ${post.id}`). While these flaws could allow for Remote Code Execution (RCE) if an attacker influences the input, there is no evidence of intentional malice, data exfiltration, or backdoors. The code's logic remains consistent with its stated purpose of automating social media engagement.
能力评估
Purpose & Capability
The code, README, SKILL.md, and skill.json all describe an X (Twitter) engagement tool and require X API credentials and optionally an Aligned News key — which is coherent with the stated purpose. However, the registry metadata at the top of this report lists no required environment variables or primary credential, which contradicts the skill.json/README/SKILL.md. That mismatch is unexplained and reduces trust.
Instruction Scope
SKILL.md and the code are focused on monitoring and posting on X and integrating Aligned News for Pro features. The agent's runtime instructions and code do not request unrelated system files or broad data collection. However, the agent uses exec to invoke an external 'xapi' CLI repeatedly; that means the skill's behavior depends on an external binary and could run arbitrary commands if that binary or PATH is tampered with.
Install Mechanism
This is instruction-plus-code with no install spec and no network download steps in the package. No archives are fetched and no third-party packages are installed by the skill itself. That minimizes install-time risk, but it assumes a trusted runtime environment (openclaw gateway and an 'xapi' CLI).
Credentials
Requiring an X API key and an optional Aligned News API key is proportionate to the skill's functionality (posting, reading, analytics). But the package metadata shown at the top (registry summary) claims no required env vars while skill.json/README/code require X_API_KEY and optionally ALIGNED_NEWS_API_KEY — an inconsistency that should be resolved before trusting the skill. Also confirm the minimum permissions/scopes requested for the X API key (read vs write).
Persistence & Privilege
The skill is not 'always: true' and is user-invocable. It does not request system-wide config changes or access to other skills' credentials. It operates within the agent context and does not require elevated or persistent platform privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install x-engagement-pro - 安装完成后,直接呼叫该 Skill 的名称或使用
/x-engagement-pro触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
Fixed security flags - added source repo, declared env vars, added agent code
v1.1.0
Added pricing - Free tier with limits, Pro at .99/month
v1.0.0
Initial release - X engagement system for AI image generation brands
元数据
常见问题
X Engagement Pro 是什么?
Automates authentic engagement on X by monitoring AI image generation conversations, responding, amplifying content, and tracking metrics for brand growth. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 100 次。
如何安装 X Engagement Pro?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install x-engagement-pro」即可一键安装,无需额外配置。
X Engagement Pro 是免费的吗?
是的,X Engagement Pro 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
X Engagement Pro 支持哪些平台?
X Engagement Pro 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 X Engagement Pro?
由 ClawPhilSledge(@clawbuilder)开发并维护,当前版本 v1.2.0。
推荐 Skills