Falcon

Search, read, and interact with Twitter/X via TwexAPI

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 771 · 1 current installs · 1 all-time installs

by@BubblyJove

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

✓

Purpose & Capability

Name/description align with the implementation: the script calls a TwexAPI base URL to read/search and perform write/engagement actions on Twitter/X. Required binaries (curl, jq) are appropriate for the CLI implementation.

Instruction Scope

SKILL.md and falcon.sh instruct the agent to perform read and write operations through TwexAPI and explicitly require a TWITTER_COOKIE for write/engagement commands. The instructions also say to 'confirm with the user' before writes (good), but they allow sending the user's Twitter cookie to the external TwexAPI service — this transmits a sensitive credential outside the local machine. Additionally, TWITTER_COOKIE is referenced in runtime instructions but is not declared in the skill's metadata requires.env (inconsistency).

✓

Install Mechanism

No install spec is provided (instruction-only style). A script file is included but nothing is downloaded or extracted during install, so there is no high-risk remote install mechanism.

Credentials

Metadata declares only TWEXAPI_KEY as required, but the script requires TWITTER_COOKIE for any write actions and will include that cookie in POST bodies to api.twexapi.io. Requesting a full account cookie is high‑sensitivity: it can grant account access and is being sent to a third-party. The metadata mismatch (not declaring TWITTER_COOKIE) makes the requested access opaque to users.

✓

Persistence & Privilege

The skill does not request always: true and does not modify other skills or system settings. disable-model-invocation is false (normal). No excessive persistence or privileged platform presence is requested.

What to consider before installing

Things to check before installing or using this skill: - Understand what will be transmitted: the falcon script sends TWITTER_COOKIE (your Twitter auth cookie) to the third-party endpoint at api.twexapi.io for any write/engagement action. Treat this value like a password — supplying it to a third party can allow account actions. - Ask the author to fix the metadata: TWITTER_COOKIE is used by the code but is not declared in requires.env. The skill should explicitly list TWITTER_COOKIE as a required environment variable so you can make an informed decision. - Consider scope limitation: if you only need read/search, avoid setting TWITTER_COOKIE and limit usage to read-only commands while keeping TWEXAPI_KEY only. Confirm that the skill and the platform will prompt you before any write operation as claimed. - Verify trust in TwexAPI: review TwexAPI's privacy/security documentation and confirm that api.twexapi.io is the intended and legitimate service. Prefer delegated OAuth tokens or official API methods rather than sharing raw browser cookies. - If you must provide a cookie, consider using a throwaway/test account rather than your primary account. - Inspect the included falcon.sh yourself (or run it locally in a safe environment) before providing credentials; it transparently builds JSON bodies and uses temporary files for headers/bodies (which is good practice), so review the full code path for any unexpected endpoints. - Optional: ask the maintainer to change the design to avoid sending cookies (use TwexAPI-managed OAuth or server-side authentication) and to update SKILL.md and registry metadata to list all env vars and explain why each is needed. Given the sensitivity of cookies and the metadata mismatch, treat this skill as suspicious until the cookie-handling and metadata are clarified.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk97et8cfeaajgqz8yt4jx1c0zn80t1xf

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦅 Clawdis

OSmacOS · Linux

Binscurl, jq

EnvTWEXAPI_KEY

Primary envTWEXAPI_KEY

SKILL.md

falcon

Use falcon to read, search, and interact with Twitter/X.

Quick start

falcon check
falcon user elonmusk
falcon tweets elonmusk 5
falcon read <url-or-id>
falcon search "bitcoin" 10

Reading users

falcon user <username>               Profile info for a single user
falcon users <u1,u2,...>             Look up multiple users (comma-separated)
falcon find <keyword> [count]        Search for users by keyword (default: 5)
falcon followers <username> [count]  List followers (default: 20)
falcon following <username> [count]  List following (default: 20)

Reading tweets

falcon tweets <username> [count]     User's tweets and replies (default: 20)
falcon read <id-or-url> [...]        Read one or more tweets by ID or URL
falcon replies <id-or-url> [count]   Replies to a tweet (default: 20)
falcon similar <id-or-url>           Find similar tweets
falcon retweeters <id-or-url> [cnt]  Who retweeted a tweet (default: 20)

Searching

falcon search <query> [count]        Advanced search (default: 10)
falcon hashtag <tag> [count]         Search by hashtag (default: 20)
falcon cashtag <tag> [count]         Search by cashtag (default: 20)
falcon trending [country]            Trending topics (default: worldwide)

Posting (confirm with user first)

falcon tweet "text"
falcon reply <id-or-url> "text"
falcon quote <tweet-url> "text"

Engagement (confirm with user first)

falcon like <id-or-url>
falcon unlike <id-or-url>
falcon retweet <id-or-url>
falcon bookmark <id-or-url>
falcon follow <username>
falcon unfollow <username>

Account

falcon check                         Verify API key and cookie are set
falcon balance                       Check remaining API credits

Auth sources

TWEXAPI_KEY env var: TwexAPI bearer token (required for all commands)
TWITTER_COOKIE env var: Twitter auth cookie (required for write/engagement commands)

Important notes

- The falcon script lives at {baseDir}/falcon.sh
- All commands accept tweet URLs (x.com or twitter.com) or bare tweet IDs
- Always confirm with the user before executing any write or engagement command
- Search accepts any Twitter advanced search syntax
- Hashtags can be passed with or without the # prefix
- Cashtags can be passed with or without the $ prefix
- Country for trending uses slug format: united-states, united-kingdom, japan, etc.

Files

3 total

Select a file

Select a file to preview.

Comments

Loading comments…