ClawHub

Neomano X (Tweet Publisher + Image)

v0.1.0

Draft, revise, and publish X (Twitter) posts with an image using the X API. Use when the user asks for a tweet/post for X, wants to attach an image, and requ...

1· 114·0 current·0 all-time
by@elandivar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (X/Twitter post + image) align with the code and required artifacts: python3 is required and the code uses OAuth1 and the Twitter/X media and tweets endpoints. The required env vars (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET) are the expected credentials for this functionality.
Instruction Scope
SKILL.md confines actions to drafting and publishing tweets and describes a manual approval step; the runtime scripts implement only OAuth token acquisition, media upload, and tweet creation against twitter.com/api endpoints. Note: SKILL.md recommends storing credentials in ~/.openclaw/.env (a local file) — this is a convenience but increases the risk of secrets on disk, so users should secure that file. There is no hidden file/system scanning or external data exfiltration beyond the X/Twitter APIs.
Install Mechanism
No package-install spec in the registry; shipped scripts create a local Python venv and pip-install two small dependencies (requests, requests_oauthlib). This is proportionate for the stated purpose and uses standard PyPI packages; the venv is local to the skill and avoids system-wide changes.
Credentials
The required environment variables are exactly the OAuth 1.0a credentials needed to upload media and publish tweets. There are no unrelated secrets requested. An optional X_OAUTH_CALLBACK is referenced for the OAuth flow — expected and reasonable.
Persistence & Privilege
The skill is not always-enabled (always: false) and is user-invocable; it does not request elevated platform privileges or modify other skill configs. Autonomous invocation is permitted by default (disable-model-invocation: false) which is normal for skills and not itself a concern here.
Assessment
This skill appears to do exactly what it says: help draft and publish X/Twitter posts with an image. Before installing: (1) Only provide the four OAuth env vars if you trust the skill—these are full publish credentials and allow posting with your account; consider creating a limited app/token if appropriate. (2) The skill suggests storing credentials in ~/.openclaw/.env — if you do, secure that file (filesystem permissions, avoid backups). (3) The bootstrap installs requests and requests_oauthlib into a local .venv; review or vet those packages if your environment restricts external downloads. (4) The SKILL.md requires an explicit user confirmation step (PUBLICAR/PUBLISH) before posting; ensure your agent or UI enforces that workflow so posts aren't published without explicit approval. If you need higher assurance, inspect the shipped scripts locally (they are small and readable) and rotate tokens after testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk974tka9y5cz1xtkwghradzpe9835z73mediavk974tka9y5cz1xtkwghradzpe9835z73oauth1vk974tka9y5cz1xtkwghradzpe9835z73postingvk974tka9y5cz1xtkwghradzpe9835z73twittervk974tka9y5cz1xtkwghradzpe9835z73xvk974tka9y5cz1xtkwghradzpe9835z73

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

𝕏 Clawdis
Binspython3
EnvX_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET
Primary envX_API_KEY

Comments