social-postcjo

Post and reply on Twitter and Farcaster with character limit checks, image support, threads, link shortening, and draft preview.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 436 · 0 current installs · 0 all-time installs

by@mupengi-bot

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The described functionality (posting/replying to Twitter/X and Farcaster) matches what the SKILL.md asks you to do. However, the metadata claims 'no required env vars' and 'no required config paths' while the SKILL.md explicitly asks you to store Twitter keys in ~/.openclaw/.env and Farcaster keys in ~/.openclaw/farcaster-credentials.json. That mismatch between declared requirements and the instructions is inconsistent.

Instruction Scope

The SKILL.md tells the agent/user to create and store sensitive credentials (Twitter consumer/access tokens and Farcaster custody/signer private keys) in specific files and to run scripts (scripts/post.sh, scripts/reply.sh, scripts/check-balance.sh) that are not present in the package. It also references an absolute path (/home/phan_harry/.openclaw/.env) in places and ~/.openclaw elsewhere. Asking for plaintext private keys and directing the agent to run unspecified scripts expands the scope beyond a simple instruction-only skill and is a red flag.

ℹ

Install Mechanism

There is no install specification and no code files — lowest disk write risk. However, the SKILL.md expects local helper scripts and other skills (farcaster-agent) to exist. Because those scripts are not included, the instructions are incomplete and may lead users to fetch or run external code without guidance.

Credentials

Requesting Twitter API keys and Farcaster custody/signing private keys is proportionate to the goal of posting on those platforms, but the skill metadata does not declare those requirements. The instructions further recommend storing private keys and tokens in plaintext files in specific locations (including a user-specific absolute path), which is risky. The SKILL.md also suggests enabling billing and funding a custody wallet — expected for Farcaster but increases risk if done under unclear provenance of scripts.

ℹ

Persistence & Privilege

The skill is not set to always: true and does not declare modifications to other skills or system-wide settings. However, it instructs storing persistent credentials in a local directory (~/.openclaw), which gives the skill persistent access to secrets if the environment later runs the scripts it references. That persistence is normal for CLI-based posting tools but should be explicit in metadata.

What to consider before installing

This skill looks like a reasonable social-post helper, but there are important inconsistencies you should resolve before using it: - The SKILL.md expects local scripts (scripts/post.sh, scripts/reply.sh, scripts/check-balance.sh) and other skills (farcaster-agent) but the package contains no code — ask the author where those scripts come from and inspect them before running. - The metadata claims no required env or config paths, but the instructions tell you to store secrets in ~/.openclaw/.env and ~/.openclaw/farcaster-credentials.json (and even reference /home/phan_harry). That mismatch is suspicious — confirm the canonical config locations and update metadata. - The skill asks you to place private keys (custodyPrivateKey, signerPrivateKey, Twitter tokens) in plaintext files. If you proceed, restrict file permissions (chmod 600), keep backups secure, and prefer OAuth or delegated auth flows where possible. Do not paste private keys into unknown web forms or pastebins. - Do not run any scripts downloaded from untrusted sources. If the scripts are provided elsewhere, review their contents for network calls, uploads, or exfiltration before executing. - Consider testing with a throwaway account and using dry-run modes first (the SKILL.md mentions --dry-run). Ask the publisher for: the missing scripts, a clear list of required env vars/config paths, and why absolute user paths appear in the docs. If the author cannot produce the referenced scripts or explain the metadata mismatch, treat the skill as untrusted and avoid providing your real credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk97a4314vhjj2ja5xv4pkqs9ps817tx1

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Social Post 🐧

⏹ Quick setup here -> https://openclawcli.forum

Post to Twitter and/or Farcaster with automatic character limit validation and image upload handling.

Features

✅ Post to Twitter only
✅ Post to Farcaster only
✅ Post to both platforms simultaneously
✅ Reply to tweets and casts - respond to specific posts on both platforms
✅ Draft preview - shows exactly what will be posted before confirmation
✅ Character/byte limit validation
✅ Image upload support (for posts and replies)
✅ Thread support - automatically split long text into numbered posts
✅ Link shortening - compress URLs using TinyURL (saves characters)
✅ Auto-truncate on overflow (optional)

Platform Limits

Twitter: 252 characters (280 with 10% safety buffer)
Farcaster: 288 bytes (320 with 10% safety buffer)

Setup & Credentials

X/Twitter Setup

Required credentials (stored in /home/phan_harry/.openclaw/.env):

X_CONSUMER_KEY=your_consumer_key
X_CONSUMER_SECRET=your_consumer_secret
X_ACCESS_TOKEN=your_access_token
X_ACCESS_TOKEN_SECRET=your_access_token_secret
X_USERNAME=your_username
X_USER_ID=your_user_id

How to get credentials:

Apply for X Developer Account
- Go to https://developer.twitter.com/en/portal/dashboard
- Apply for Developer Access
- Wait for approval (usually 1-2 days)
Enable Consumption-Based Billing
- Set up payment method (credit card) in Developer Portal
- No subscription tiers - you pay only for actual API usage
- Charged per API request (posts, reads, etc.)
- No monthly minimums or fees
Create an App
- In Developer Portal, create a new App
- Name: "Social Post Bot" (or any name)
- Set permissions to "Read and Write"
Generate Keys
- Consumer Key & Secret: In "Keys and tokens" tab
- Access Token & Secret: Click "Generate" under "Authentication Tokens"
- Save all 4 credentials securely

Add to .env file

echo "X_CONSUMER_KEY=xxx" >> ~/.openclaw/.env
echo "X_CONSUMER_SECRET=xxx" >> ~/.openclaw/.env
echo "X_ACCESS_TOKEN=xxx" >> ~/.openclaw/.env
echo "X_ACCESS_TOKEN_SECRET=xxx" >> ~/.openclaw/.env

Test your credentials:

# Dry run (won't post)
scripts/post.sh --twitter --dry-run "Test message"

Farcaster Setup

Required credentials (stored in /home/phan_harry/.openclaw/farcaster-credentials.json):

{
  "fid": "your_farcaster_id",
  "custodyAddress": "0x...",
  "custodyPrivateKey": "0x...",
  "signerPublicKey": "0x...",
  "signerPrivateKey": "0x...",
  "createdAt": "2026-01-01T00:00:00.000Z"
}

How to get credentials:

Use farcaster-agent skill to create account

# This will guide you through:
# - Creating a wallet
# - Registering FID
# - Adding signer key
# - Automatically saving credentials

# See: /skills/farcaster-agent/SKILL.md

Or use existing credentials
- If you already have a Farcaster account
- Export your custody wallet private key
- Export your signer private key
- Manually create the JSON file

Fund the custody wallet (REQUIRED)

# Check current balance
scripts/check-balance.sh

# Send USDC to custody address on Base chain
# Minimum: 0.1 USDC (~100 casts)
# Recommended: 1-5 USDC (1000-5000 casts)

Verify setup

# Check credentials exist
ls -la ~/.openclaw/farcaster-credentials.json

# Check wallet balance
scripts/check-balance.sh

# Test posting (dry run)
scripts/post.sh --farcaster --dry-run "Test message"

Security Notes:

⚠️ Never share your private keys
⚠️ Credentials are stored as plain text - secure your system
⚠️ .env file should have 600 permissions (read/write owner only)
⚠️ Back up your credentials securely

Usage

Posting

Text only

# Post to both platforms
scripts/post.sh "Your message here"

# Twitter only
scripts/post.sh --twitter "Your message"

# Farcaster only
scripts/post.sh --farcaster "Your message"

With image

# Post to both platforms with image
scripts/post.sh --image /path/to/image.jpg "Your caption"

# Twitter only with image
scripts/post.sh --twitter --image /path/to/image.jpg "Caption"

# Farcaster only with image
scripts/post.sh --farcaster --image /path/to/image.jpg "Caption"

Replying

Reply to Twitter

# Reply to a tweet
scripts/reply.sh --twitter TWEET_ID "Your reply"

# Reply with image
scripts/reply.sh --twitter TWEET_ID --image /path/to/image.jpg "Reply with image"

# Get tweet ID from URL: twitter.com/user/status/[TWEET_ID]
scripts/reply.sh --twitter 1234567890123456789 "Great point!"

Reply to Farcaster

# Reply to a cast
scripts/reply.sh --farcaster CAST_HASH "Your reply"

# Reply with image
scripts/reply.sh --farcaster 0xabcd1234... --image /path/to/image.jpg "Reply with image"

# Get cast hash from URL: farcaster.xyz/~/conversations/[HASH]
scripts/reply.sh --farcaster 0xa1b2c3d4e5f6... "Interesting perspective!"

Reply to both platforms

# Reply to both (if you have corresponding IDs on both platforms)
scripts/reply.sh --twitter 123456 --farcaster 0xabcd... "Great discussion!"

Options

For `post.sh` (posting)

--twitter - Post to Twitter only
--farcaster - Post to Farcaster only
--image <path> - Attach image
--thread - Split long text into numbered thread
--shorten-links - Shorten URLs to save characters
--truncate - Auto-truncate if over limit
--dry-run - Preview without posting
-y, --yes - Skip confirmation prompt (auto-confirm)

For `reply.sh` (replying)

--twitter <tweet_id> - Reply to Twitter tweet with this ID
--farcaster <cast_hash> - Reply to Farcaster cast with this hash
--image <path> - Attach image to reply
--shorten-links - Shorten URLs to save characters
--truncate - Auto-truncate if over limit
--dry-run - Preview without replying
-y, --yes - Skip confirmation prompt (auto-confirm)

Examples

Posting Examples

# Quick post to both
scripts/post.sh "gm! Building onchain 🦞"

# Twitter announcement with image
scripts/post.sh --twitter --image ~/screenshot.png "New feature shipped! 🚀"

# Farcaster only
scripts/post.sh --farcaster "Just published credential-manager to ClawHub!"

# Long text as thread (auto-numbered)
scripts/post.sh --thread "This is a very long announcement that exceeds the character limit. It will be automatically split into multiple numbered posts. Each part will be posted sequentially to create a thread. (1/3), (2/3), (3/3)"

# Shorten URLs to save characters
scripts/post.sh --shorten-links "Check out this amazing project: https://github.com/very-long-organization-name/very-long-repository-name"

# Combine thread + link shortening
scripts/post.sh --thread --shorten-links "Long text with multiple links that will be shortened and split into a thread if needed"

# Both platforms, auto-truncate long text
scripts/post.sh --truncate "Very long message that might exceed limits..."

# Preview without confirmation (for automated workflows)
scripts/post.sh --yes "Automated post from CI/CD"

Reply Examples

# Reply to a Twitter thread
scripts/reply.sh --twitter 1234567890123456789 "Totally agree with this take! 💯"

# Reply to Farcaster cast
scripts/reply.sh --farcaster 0xa1b2c3d4e5f6... "Great insight! Have you considered...?"

# Reply with shortened links
scripts/reply.sh --twitter 123456 --shorten-links "Here's more info: https://example.com/very-long-article-url"

# Reply with image
scripts/reply.sh --twitter 123456 --image ~/chart.png "Here's the data to support this"

# Reply to both platforms (same message)
scripts/reply.sh --twitter 123456 --farcaster 0xabc123 "This is exactly right 🎯"

# Quick reply without confirmation
scripts/reply.sh --twitter 123456 --yes "Quick acknowledgment"

# Dry run to preview reply
scripts/reply.sh --twitter 123456 --dry-run "Test reply preview"

Draft Preview

The script now shows a draft preview before posting:

=== Draft Preview ===

Text to post:
─────────────────────────────────────────────
Your message here
─────────────────────────────────────────────

Targets:
  • Twitter
  • Farcaster

Proceed with posting? (y/n):

Interactive mode: Prompts for confirmation
Non-interactive/automated: Use --yes flag to skip prompt
Dry run: Use --dry-run to preview without any posting

Requirements

Twitter credentials in .env (X_CONSUMER_KEY, X_CONSUMER_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET)
Farcaster credentials in /home/phan_harry/.openclaw/farcaster-credentials.json
USDC on Base chain (custody wallet): 0.001 USDC per Farcaster cast
For images: curl, jq

Costs

X/Twitter

100% Consumption-based - NO subscription tiers (tiers have been eliminated)
Pay per API request - charged for each call (post, read, etc.)
No monthly fees, no minimums, no tier upgrades to worry about
Automatic billing based on actual usage
Payment via credit card through X Developer portal
Uses OAuth 1.0a (no blockchain/USDC required)
Requires approved X Developer account + enabled billing

Official pricing: https://developer.twitter.com/#pricing

Critical: X API completely eliminated subscription tiers (Basic, Pro, etc.). The model is now purely pay-per-use - you are charged only for the API requests you actually make.

Farcaster

Each Farcaster cast costs 0.001 USDC (paid via x402 protocol):

Deducted from custody wallet on Base chain
Sent to Neynar Hub: 0xA6a8736f18f383f1cc2d938576933E5eA7Df01A1
~$1 USDC = 1000 casts

Check balance:

# Quick check
scripts/check-balance.sh

# Manual check
jq -r '.custodyAddress' ~/.openclaw/farcaster-credentials.json
# View on basescan.org

Fund wallet: Send USDC to custody address on Base chain. Bridge from other chains if needed.

Image Hosting

Twitter: Direct upload via Twitter API
Farcaster: Uploads to imgur for public URL (embeds automatically)

Error Handling

Shows character/byte count before posting
Warns if exceeding limits
Option to truncate or abort
Validates credentials before attempting post

🐧 Built by 무펭이 — 무펭이즘(Mupengism) 생태계 스킬

Files

2 total

Select a file

Select a file to preview.

Comments

Loading comments…