ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Composio Composer Xskill

v1.0.0

Enables posting tweets to Twitter/X through Composio's integration platform via HTTP and BeautifulSoup. Use when posting tweets or integrating with Composio.

0· 393·0 current·0 all-time
by@austindixson

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for austindixson/composio-composer-xskill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Composio Composer Xskill" (austindixson/composio-composer-xskill) from ClawHub.
Skill page: https://clawhub.ai/austindixson/composio-composer-xskill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install austindixson/composio-composer-xskill

ClawHub CLI

Package manager switcher

npx clawhub@latest install composio-composer-xskill
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and docs implement posting/reading/deleting tweets via Composio (HTTP + BeautifulSoup) which matches the skill name/description. However the registry metadata claims no required environment variables while SKILL.md, README.md and config.py reference several COMPOSIO_* variables — this mismatch is unexplained and reduces trust in the metadata.
Instruction Scope
Runtime instructions and the code focus on HTTP interactions with Composio and HTML parsing/submission via BeautifulSoup, which is within the stated purpose. The SKILL.md instructs installing requests/bs4/python-dotenv and configuring a .env or environment variables; note that storing tokens in a .env file (suggested by docs) is a security consideration but is not itself unexpected for this type of skill.
Install Mechanism
There is no platform install spec (instruction-only style), but the package includes code files and a requirements.txt. The SKILL.md instructs pip installing the listed deps (requests, beautifulsoup4, python-dotenv) — these are standard PyPI packages. No remote downloads or obscure install sources are present. It's slightly inconsistent that the registry lists 'no install spec' while full code is bundled, but this is not inherently dangerous.
!
Credentials
The skill requires several Composio-specific credentials (COMPOSIO_CLIENT_ID, COMPOSIO_API_KEY, COMPOSIO_SESSION_TOKEN, COMPOSIO_BEARER_TOKEN, COMPOSIO_USER_ID) per SKILL.md and config.py. The registry metadata, however, lists no required env vars — that is an inconsistency. The secrets requested are proportional to the stated function, but the mismatch in declared vs. actual required variables and the docs' suggestion to store them in a .env file warrant caution.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistent privileges and does not attempt to modify other skills or system configuration. It reads environment variables at import time via config.from_env() and offers a from_file() loader, which is normal for a client library.
What to consider before installing
What to check before installing: - Source and trust: The skill's Source/Homepage are unknown; prefer skills from a known publisher. Review the bundled code yourself or run it in an isolated environment before granting real credentials. - Metadata mismatch: The registry declares no required env vars but SKILL.md and config.py expect multiple COMPOSIO_* secrets. Treat that as a red flag and verify which variables the runtime actually needs. - README vs. API mismatch: README examples omit an auth token while __init__.py and SKILL.md show a composio_auth_token parameter and config.py reads env vars. Ensure you know whether you must pass tokens in calls or rely on env vars. - .env handling: Docs recommend python-dotenv but the code does not call load_dotenv() (config.py uses os.getenv). If you plan to use a .env file, you must load it yourself; storing tokens in plaintext files has risk — store secrets securely and limit file permissions. - Least privilege & rotation: Create and use Composio credentials with minimal permissions, and be prepared to rotate tokens if you install/remove the skill. - Network endpoints: The default api base is https://backend.composio.dev/api/v1 — confirm this is the correct and expected endpoint for your account. - If unsure, ask the publisher for clarification (who maintains the skill), or run the code in a sandbox and inspect network traffic before providing production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9794az1ywhcact0q2v07j7nkd81y3z5
393downloads
0stars
1versions
Updated 9h ago
v1.0.0
MIT-0
@austindixson
latest
Download

Composio Composer X Skill

This skill enables posting tweets to Twitter/X through Composio's integration platform. It uses HTTP requests with BeautifulSoup to interact with Composio's web interface, providing a post_tweet function that can be called from OpenClaw.

Installation

  1. Install dependencies:

    pip install requests beautifulsoup4 python-dotenv

  2. Configure credentials in .env file or environment

  3. Import and use the skill in your OpenClaw workflow

Tool Definitions

post_tweet

Posts a tweet to Twitter/X using Composio.

Function Signature:

def post_tweet(content: str, composio_auth_token: str) -> dict:

Parameters:

  • content (str): The tweet content (max 280 characters)
  • composio_auth_token (str): The Composio authentication token for authorization

Returns:

  • dict: Contains:
    • success (bool): Whether the tweet was posted successfully
    • tweet_id (str): The posted tweet's ID (on success)
    • tweet_url (str): URL to view the tweet (on success)
    • error (str): Error message (on failure)

Example:

result = post_tweet(
    content="Hello from OpenClaw! 🐾",
    composio_auth_token="your_composio_auth_token_here"
)
print(f"Tweet posted: {result.get('tweet_url')}")

get_tweet

Retrieves a tweet by ID.

Function Signature:

def get_tweet(tweet_id: str, composio_auth_token: str) -> dict:

Parameters:

  • tweet_id (str): The tweet ID to retrieve
  • composio_auth_token (str): The Composio authentication token

Returns:

  • dict: Contains tweet data or error information

delete_tweet

Deletes a tweet.

Function Signature:

def delete_tweet(tweet_id: str, composio_auth_token: str) -> dict:

Parameters:

  • tweet_id (str): The tweet ID to delete
  • composio_auth_token (str): The Composio authentication token

Returns:

  • dict: Contains success (bool) and status message

Configuration

The skill requires the following environment variables:

  • COMPOSIO_CLIENT_ID: Your Composio client ID
  • COMPOSIO_API_KEY: Your Composio API key
  • COMPOSIO_SESSION_TOKEN: Your Composio session token
  • COMPOSIO_BEARER_TOKEN: Your Composio bearer token
  • COMPOSIO_USER_ID: Your Composio user ID

Notes

  • This implementation uses HTTP requests to emulate Composio interaction
  • Direct API access through OpenClaw is currently unavailable
  • Rate limits apply per Twitter/X and Composio policies
  • Session tokens expire after 7200 seconds (2 hours)

Comments

Loading comments...