Tweet Cli

Post tweets, replies, and quotes to X/Twitter using the official API v2. Use this instead of bird for posting. Uses API credits so only post when explicitly...

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 560 · 2 current installs · 2 all-time installs

by@0xmythril

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (post tweets via X API v2) aligns with required items: a tweet-cli binary and the four X API credentials are exactly what a posting CLI needs. No unrelated credentials, binaries, or config paths are requested.

✓

Instruction Scope

SKILL.md instructs the agent to install and run tweet-cli, create a per-user config file in ~/.config/tweet-cli/.env, and confirm with the user before posting. It does not instruct reading unrelated system files or exfiltrating data. The explicit rule to avoid speculative posting reduces risk.

ℹ

Install Mechanism

Install guidance uses npm to install directly from a GitHub tag (npm install -g github:0xmythril/tweet-cli#v1.0.0). This is a common pattern but has more risk than installing a vetted package from a central registry because it pulls code from a repository. The registry metadata shows 'No install spec' while SKILL.md provides an install command — this is a small metadata inconsistency but not a security red flag by itself.

✓

Credentials

The four required environment variables (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET) are the standard credentials needed to post via X's API. No other secrets or unrelated env vars are requested. The instructions store credentials in a user-scoped config file (~/.config/tweet-cli/.env) and recommend chmod 600, which is reasonable for a CLI.

✓

Persistence & Privilege

The skill does not request always: true, does not modify system-wide or other-skill configuration, and its persistent footprint is limited to a per-user config file in the user's home directory. Agent autonomous invocation is allowed by default but not combined with other concerning privileges here.

Assessment

This skill appears coherent for posting to X/Twitter, but follow these precautions before installing or using it: (1) inspect the GitHub repo and package.json yourself (or run npm pack --dry-run) to confirm there are no postinstall scripts or unexpected telemetry; (2) prefer creating a dedicated API key/account with minimal permissions for automated posting; (3) store credentials in a secure secrets store if available rather than plaintext files (if you use ~/.config/tweet-cli/.env, keep chmod 600 as recommended); (4) be cautious about installing from a GitHub tag — verify the exact tag and review recent commits and releases; (5) ensure the agent asks the user to confirm every post (the SKILL.md instructs this) and do not allow speculative posting. If you want lower-risk verification, request the skill author publish a release tarball or an npm package on the official registry and provide a checksum for audit.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk97b43fark0jjj5ac9xdrz8pys817n9a

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📮 Clawdis

Binstweet-cli

EnvX_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET

SKILL.md

tweet-cli

Post to X/Twitter using the official API v2. This tool uses API credits (limited to 1,500 posts/month on the Free tier), so only use it when the user explicitly asks you to post, or during scheduled cron tasks. Do not speculatively draft and post tweets.

For reading tweets, searching, and browsing timelines, use bird instead (no credit cost).

Setup

Install (pinned to release tag):

npm install -g github:0xmythril/tweet-cli#v1.0.0

Get API keys from https://developer.x.com/en/portal/dashboard (Free tier works)
Configure credentials (file is created with restricted permissions):

mkdir -p ~/.config/tweet-cli
touch ~/.config/tweet-cli/.env
chmod 600 ~/.config/tweet-cli/.env
cat > ~/.config/tweet-cli/.env << 'EOF'
X_API_KEY=your_consumer_key
X_API_SECRET=your_secret_key
X_ACCESS_TOKEN=your_access_token
X_ACCESS_TOKEN_SECRET=your_access_token_secret
EOF

Verify: tweet-cli whoami

Security

Credentials: Stored in ~/.config/tweet-cli/.env (read by dotenv at runtime). Set chmod 600 to restrict access.
No postinstall scripts: The package has zero install scripts — verify via npm pack --dry-run or inspect package.json.
No telemetry or network calls except to the official X API (api.x.com) when you run a command.
Pinned install: The install command pins to a specific release tag. Audit the source at https://github.com/0xmythril/tweet-cli before installing.
Dependencies: Only 3 runtime deps — twitter-api-v2 (official X API client), commander (CLI parsing), dotenv (env file loading). No transitive dependencies.

Commands

Verify auth

tweet-cli whoami

Post a tweet

tweet-cli post "Your tweet text here"

Reply to a tweet

tweet-cli reply <tweet-id-or-url> "Your reply text"
tweet-cli reply https://x.com/user/status/123456 "Your reply text"

Quote a tweet

tweet-cli quote <tweet-id-or-url> "Your commentary"
tweet-cli quote https://x.com/user/status/123456 "Your commentary"

Delete a tweet

tweet-cli delete <tweet-id-or-url>

Important rules

Do NOT post unless the user explicitly asks or a cron job triggers it. Each post uses API credits.
Always confirm with the user before posting, replying, or quoting. Show them the text first.
For reading tweets, searching, or viewing timelines, use bird (not tweet-cli).
tweet-cli accepts both raw tweet IDs and full URLs (x.com or twitter.com).
If you get a 402 CreditsDepleted error, inform the user their monthly credits are exhausted.

Files

1 total

Select a file

Select a file to preview.

Comments

Loading comments…