Lebevolae X Post
Automatically post text or a single local image tweet to X/Twitter using provided developer credentials.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 38 · 1 current installs · 1 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md clearly requires the four Twitter OAuth credentials (API key/secret and access token/secret), which is coherent with a posting-to-X capability; however the registry metadata lists no required environment variables or primary credential. That mismatch between declared metadata and the runtime instructions is a material inconsistency.
Instruction Scope
Instructions are simple and scoped to posting text or a single local image to X, and they point the agent to use local image paths and environment variables. Reading a local image file is expected for this purpose, but the skill's instructions grant the agent access to arbitrary local paths (example uses C:\Users\...\photo.jpg) so the agent could access other files if given broad file-access permissions.
Install Mechanism
Instruction-only skill with no install spec or downloaded code; this minimizes supply-chain risk because nothing is written to disk or fetched at install time.
Credentials
Requesting the four OAuth credentials is proportionate to the stated function, but the registry metadata does not declare any required env vars or a primary credential. That omission could lead users to overlook that they must supply sensitive write-capable tokens, increasing risk of accidental credential exposure or misuse.
Persistence & Privilege
The skill is not force-enabled (always=false) and uses the platform default allowing autonomous invocation. That is normal, but combined with write-capable Twitter credentials it means the agent could post to X without further prompts if it invokes the skill—consider restricting invocation or using tokens for a throwaway account.
What to consider before installing
Do not install or provide your primary Twitter/X credentials until the metadata mismatch is resolved. Ask the publisher why the registry lists no required env vars while SKILL.md requires four OAuth tokens. If you still want to test it: 1) create a throwaway Twitter developer app and account or use tokens with only test permissions; 2) store credentials in the platform's secure config rather than pasting them into chat; 3) restrict the agent's ability to run autonomously or require explicit confirmation before posting; and 4) verify the skill's behavior first on a test post to ensure it only posts what you expect. If the publisher cannot explain the metadata omission, treat the package as untrusted.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.1
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
---
name: Leo X Poster
slug: lebevolae-x-post
version: 0.1.0
description: "Leo 的自定义技能:自动发推文到 X/Twitter,支持文本和图片"
author: "Leo Liu (@LBevolae)"
tags: [twitter, x, post, social]
requirements:
- TWITTER_API_KEY
- TWITTER_API_SECRET
- TWITTER_ACCESS_TOKEN
- TWITTER_ACCESS_SECRET
---
## 功能
发推文到 X,支持纯文本或带一张本地图片。
## 使用示例
leo,发推:今天天气不错! #测试
leo,发带图推文:内容xxx,图片 C:\Users\bazin\Desktop\photo.jpg
## 配置
需要 X Developer 账号的 4 个凭证(去 https://developer.twitter.com 申请 App,OAuth 1.0a read+write)。
设置为环境变量或 OpenClaw config。
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…