ClawHub

X Twitter

v1.0.2

X/Twitter manager: post, reply, search, like, retweet & get analytics. Requires: powershell/pwsh. Reads ~/.config/x-twitter/credentials.json (X_API_KEY, X_AP...

0· 329·0 current·0 all-time
byseph@seph1709
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, declared required binaries (powershell/pwsh), and the explicit requirement to read ~/.config/x-twitter/credentials.json align with a Twitter/X API manager that needs OAuth keys and secrets. There are no unrelated env vars, binaries, or config paths requested.
Instruction Scope
SKILL.md explicitly instructs the agent to read the local credentials file, construct OAuth 1.0a headers, and call api.twitter.com endpoints. It does not instruct reading unrelated system files, requesting other credentials, or sending data to third-party endpoints. The doc also advises restricting file permissions and rotating tokens, which is appropriate operational guidance.
Install Mechanism
There is no install spec and no code files to write to disk; the skill is instruction-only. This minimizes install-time risk—nothing is downloaded or installed by the skill itself.
Credentials
The only sensitive data required are the four OAuth fields stored in the declared credentials.json path, which is necessary for the stated capabilities. No unrelated credentials or broad environment access is requested.
Persistence & Privilege
always is false (default), the skill is user-invocable and may be called autonomously (platform default) but does not request permanent presence or system-wide configuration changes.
Assessment
This skill appears coherent for managing an X/Twitter account via API using PowerShell and a local credentials file. Before installing: (1) Create a dedicated X Developer App and use app/tokens with the minimum permissions needed (prefer read-only when possible until you need write actions). (2) Store credentials in the indicated file and set strict file permissions (chmod 600 / icacls) as recommended. (3) Treat the access token/secret as sensitive and rotate/revoke them if the host or skill usage is ever suspect. (4) Remember the skill is instruction-only: it relies on the agent's runtime for network calls — only grant it to agents you trust to make requests to api.twitter.com. (5) If you need stronger assurance, review the truncated request examples in SKILL.md (or test in an isolated environment) to confirm all network calls go only to api.twitter.com and that no additional telemetry or external endpoints are used.

Like a lobster shell, security has layers — review code before you run it.

latestvk977yzgknmh6869rjj7dy4yej5822r64

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

[x] Clawdis
Any binpowershell, pwsh

Comments