ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Twitter API Integration (Web Reversed )

Cookie-based Twitter/X automation toolkit (timeline, notifications, posting, follow ops) for OpenClaw agents.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 675 · 0 current installs · 0 all-time installs
by@GAN12003
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the code: this is a cookie-based Twitter/X client and automation scripts. However the registry metadata declares no required env vars while the code expects many GANCLAW_* account variables (e.g., GANCLAW_X_PRIMARY_AUTH_TOKEN, GANCLAW_X_PRIMARY_CT0) and uses .env files. That mismatch between declared requirements and actual needs is an incoherence: someone building a Twitter cookie client would legitimately need the cookie env vars, so those should be declared.
!
Instruction Scope
SKILL.md instructs pip install and to copy/fill a .env with auth_token + ct0 and to run scripts (timeline, post, follow). The code follows that, but also reads/writes a repo-level config.json (via twitter_api/config/settings.py) and has helper functions to load token files and save results. The README/instructions do not disclose that the package contains default proxy settings or embedded demo credentials present in code — these broaden behavior beyond the documented scope and pose risk.
Install Mechanism
No formal install spec in registry (instruction-only), SKILL.md relies on 'pip install -r requirements.txt' which is reasonable; requirements are small (aiohttp, tenacity, etc.). Because there is no packaged install step, code files will simply run from the repository. That reduces installer-supply-chain risk but means the provided source code must be trusted and audited before execution.
!
Credentials
The registry declares no required credentials, yet the code expects many environment vars for account cookies and proxy control. More critically, the repository contains hardcoded secrets: DEFAULT_CONFIG sets a DEFAULT proxy with embedded credentials (beeaVXlWtDSdzRin:beeVvI6kd02MB@hive.beeproxies.com:1337), demo_langchain_tools.py contains an AUTH_TOKEN and CT0 literal, and constants include an authorization Bearer value. Hardcoded network/proxy credentials and example tokens are disproportionate and can enable traffic routing or token reuse/exfiltration if left unchanged.
Persistence & Privilege
always:false and the skill doesn't request platform-wide privileges. The code does write a config.json in the repository root and provides save_results helpers to write files — standard for a CLI library. However, because a default proxy with credentials exists in configuration, persistent use (e.g., running scripts repeatedly or by an autonomous agent) would cause repeated network traffic possibly routed through those credentials. Autonomous invocation alone is not flagged, but combined with hardcoded proxy credentials this increases blast radius.
What to consider before installing
This skill contains working code for cookie-based Twitter automation, but it also embeds suspicious artifacts: a default proxy URL with credentials (in twitter_api/config/settings.py), hardcoded auth_token/ct0 values in demo_langchain_tools.py, and a Bearer token in constants. These are red flags because they could (intentionally or accidentally) route your account traffic through a third-party proxy or expose live credentials. Before installing or running: 1) Do not paste real account cookies into .env until you audit and remove/change hardcoded proxies/credentials. 2) Inspect and remove or replace the DEFAULT_PROXY and any embedded tokens; treat any exposed tokens as compromised (rotate/reset them). 3) Run the code in an isolated environment (sandbox/container) and monitor outbound network connections to verify where traffic is sent. 4) Prefer using well-documented, official APIs and credentials rather than cookie re-use; if you must use this, require that the repository author/source is trusted. Because of the mismatches and embedded credentials, consider this skill suspicious and audit thoroughly (or avoid) unless you can validate the proxy owner and rotate any affected credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
apivk9711j29kkyyacmeb9phthy1ms81jgpmautomationvk9711j29kkyyacmeb9phthy1ms81jgpmlatestvk9711j29kkyyacmeb9phthy1ms81jgpmmarketingvk9711j29kkyyacmeb9phthy1ms81jgpmpostingvk9711j29kkyyacmeb9phthy1ms81jgpmsocialvk9711j29kkyyacmeb9phthy1ms81jgpm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐦 Clawdis
Binspython, git

SKILL.md

twitter-agent-skill

Summary

Async Twitter/X client and scripts that rely on auth_token + ct0 cookies (no official API keys). Supports:

  • Home timeline fetch + summary (scripts/timeline_summary.py).
  • Notifications fetch + signal analysis (scripts/fetch_notifications.py, scripts/analyze_signal.py).
  • Posting and follow automation via env-driven account labels (scripts/post_custom_tweet.py, scripts/follow_account.py).
  • Full async client (twitter_api/) with modules for tweets, users, relationships, DMs, etc.

Setup

  1. pip install -r requirements.txt (Python 3.10+).
  2. Copy .env.example.env and fill cookies per account (auth_token + ct0 from logged-in sessions).
  3. Run scripts from repo root, e.g.: 
    python scripts/timeline_summary.py
python scripts/post_custom_tweet.py account_a "hello"
python scripts/follow_account.py thenfter07

Notes

  • Env variable names are generic (ACCOUNT_A_AUTH_TOKEN, etc.); rename as needed and adjust ACCOUNT_ENV dicts in the scripts.
  • Respect Twitter/X ToS and do not spam.
  • Designed for GanClaw social ops, but neutral enough for other agents to reuse.

Files

33 total
Select a file
Select a file to preview.

Comments

Loading comments…