ClawHub

X tweet publisher

v1.0.6

Publish tweets to X (Twitter) using the official Tweepy library. Supports text-only tweets, tweets with images or videos, and returns detailed publish result...

4· 1.8k·3 current·3 all-time
bymanifold@manifoldor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, and scripts/x_publisher.py all consistently implement a Twitter/X publisher using Tweepy and legitimately require X API credentials. However, the registry metadata claims 'Required env vars: none' and 'Primary credential: none' while the SKILL.md and code clearly require X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET (and optionally X_BEARER_TOKEN). This is a packaging/metadata mismatch that could confuse users or automated permission checks.
Instruction Scope
Runtime instructions and the script stay within the expected scope: install tweepy, set API credentials in environment variables, verify credentials, upload local media files, and call the X API. The instructions do not ask for unrelated files, other service credentials, or to exfiltrate data to third-party endpoints.
Install Mechanism
This is an instruction-only skill (no install spec). It suggests installing tweepy via pip, which matches the code's import dependency. No arbitrary downloads, URL-based installers, or archive extraction are present.
Credentials
The environment variables requested by the SKILL.md and used in the code are exactly the expected Twitter/X credentials (API key/secret, access token/secret, optional bearer token). That is proportionate. Note again the registry metadata does not declare these required env vars — the skill will fail if those vars are not actually provided at runtime.
Persistence & Privilege
The skill does not request 'always: true' or any elevated platform persistence. It does not modify other skills or system-wide settings. Autonomous invocation (disable-model-invocation=false) is the default and not, by itself, a concern here.
Assessment
This skill appears to implement what it claims (a Tweepy-based X/Twitter publisher). Before installing or running it: 1) Verify you trust the source — the package has no homepage and the registry metadata omits the env var requirements. 2) Do not paste credentials into code or version control — set the four OAuth env vars (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET) and optionally X_BEARER_TOKEN in your environment. 3) Limit the credentials' permissions (use a token with only the needed write scope) and consider using a dedicated account. 4) Inspect the full script in your environment (the provided file preview was truncated) to ensure there are no hidden network calls or telemetry. 5) Run it in a controlled environment (local or isolated container) and confirm behavior with the verify command before any automation or batch publishing.

Like a lobster shell, security has layers — review code before you run it.

X Publishervk97ag7dk6fmmbv1k7hftpdhkwh80fjh4latestvk97a189djtbjx4ka99zbs5nahd82ry1e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
X_API_KEYrequired
X_API_SECRETrequired
X_ACCESS_TOKENrequired
X_ACCESS_TOKEN_SECRETrequired
X_BEARER_TOKENrequired

Comments