ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Twitter Autopilot

Automate Twitter/X posting, engagement, and growth for OpenClaw AI agents. Use when setting up an agent's Twitter presence, posting tweets, running engagemen...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 435 · 1 current installs · 1 all-time installs
by@persnola1-sketch
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The SKILL.md and scripts/tweet.py both implement Twitter/X posting, follows, replies, threads, and local draft/log management — behavior consistent with the description. However, the registry metadata reports no required environment variables or primary credential while SKILL.md (and the code) require multiple Twitter OAuth credentials; this metadata mismatch is an incoherence that affects permission review and automated gating.
Instruction Scope
The runtime instructions and the included script stick to the described scope: they use tweepy, require Twitter credentials, post tweets, follow/unfollow, and read/write files under a twitter/ directory (MODE.md, queue.md, drafts, posted-log.md, logs/). The skill does perform actions with real-world effects (posting, following) and instructs cron/autonomous operation, which raises operational risk but is within the stated purpose.
Install Mechanism
This is an instruction-only skill with a bundled Python script; there is no install spec or remote download. The only dependency is pip-installable 'tweepy' as documented. No external or obscure install URLs are used.
!
Credentials
The skill requires multiple sensitive environment variables (TWITTER_API_KEY, TWITTER_API_SECRET, TWITTER_ACCESS_TOKEN, TWITTER_ACCESS_SECRET, optional TWITTER_BEARER_TOKEN) which are appropriate for Twitter integration, but the registry metadata does not declare them (no primaryEnv and 'required env vars: none'). That mismatch is a security/process concern: automated systems or reviewers won't know the skill needs credentials, and users may supply secrets without realizing the skill will use them to perform public actions. Also, because follow/read operations use the bearer token, missing/incorrect env handling could cause crashes or unexpected behavior.
Persistence & Privilege
The skill is not set to always:true and does not request system-wide changes; it only reads/writes its own twitter/ files. Autonomous invocation is allowed (default), which is expected for an automation skill — but combined with the ability to post and follow using real account credentials, autonomous execution increases blast radius and should be controlled (e.g., draft mode, human approval, or run with a separate test account).
What to consider before installing
This skill appears to do what it says (automate Twitter/X posting) and includes a usable Python script, but pay attention to these points before installing: - Metadata mismatch: The registry claims no required env vars, yet SKILL.md and the script require sensitive Twitter credentials (API key/secret and access token/secret, optional bearer token). Treat that as a red flag — the platform's permission UI may not surface these needs. - Real-world effects: If you supply live account credentials and allow autonomous invocation, the agent can post, follow, unfollow, delete, and otherwise act on your public account. Run in DRAFT mode or use a separate test account until you trust it. - Secrets handling: Only provide keys you are willing to revoke. Prefer a dedicated API key/token pair with minimal permissions. Rotate tokens after testing. Do not use credentials tied to a high-value or organizational account. - Review and limit autonomy: If possible, require human approval (MODE.md DRAFT) for initial posts, or disable autonomous cron jobs. Audit logs in twitter/posted-log.md regularly. - Code review: The included script looks straightforward and contains no obvious remote exfiltration or obfuscated endpoints, but confirm that log paths and files are acceptable for your environment and that you are comfortable with the script writing to disk. If you want to proceed: update the registry metadata to declare the required environment variables (so reviewers and automated gates can surface them), test against a disposable/test account, and enforce draft approval until behavior is verified.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.3.1
Download zip
latestvk979m755yqd07wbm873sve3nad81r2yw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Twitter Autopilot

End-to-end Twitter/X automation for AI agents running on OpenClaw.

Requirements & Scope

Credentials (all set as env vars)

VariableRequiredDescription
TWITTER_API_KEYOAuth 1.0a consumer key
TWITTER_API_SECRETOAuth 1.0a consumer secret
TWITTER_ACCESS_TOKENOAuth 1.0a user token
TWITTER_ACCESS_SECRETOAuth 1.0a user secret
TWITTER_BEARER_TOKENOptionalOAuth 2.0 bearer (needed for reads/follows)

Dependencies

  • tweepy (pip install)

Files Read/Written

PathAccessPurpose
twitter/MODE.mdReadDraft vs auto mode flag
twitter/queue.mdRead/WriteApproved tweets waiting to post
twitter/drafts/pending.mdRead/WriteUnapproved drafts
twitter/posted-log.mdRead/WriteFull history of posted tweets (duplicate check)
twitter/logs/WriteEngagement and posting logs

Scope

  • ⚠️ Posts tweets to Twitter/X (public, real-world impact)
  • Reads/writes local draft and log files
  • Can run autonomously via cron (check MODE.md to control)

Setup

1. Get API Keys

  1. Go to developer.x.com → create a project + app
  2. Set app permissions to Read and Write
  3. Generate: API Key, API Secret, Access Token, Access Token Secret
  4. Generate Bearer Token: curl -u "API_KEY:API_SECRET" -d "grant_type=client_credentials" "https://api.twitter.com/oauth2/token"

2. Set Environment Variables

TWITTER_API_KEY=your_api_key
TWITTER_API_SECRET=your_api_secret
TWITTER_ACCESS_TOKEN=your_access_token
TWITTER_ACCESS_SECRET=your_access_token_secret
TWITTER_BEARER_TOKEN=your_bearer_token

3. Install Dependency

pip install tweepy

Usage

All commands via scripts/tweet.py:

# Post (auto-threads if >280 chars)
python tweet.py post "your tweet text here"

# Reply to a tweet
python tweet.py reply TWEET_ID "your reply"

# Quote tweet
python tweet.py quote TWEET_ID "your take"

# Retweet
python tweet.py retweet TWEET_ID

# Delete
python tweet.py delete TWEET_ID

# Follow / Unfollow
python tweet.py follow @username
python tweet.py unfollow @username

# Check mentions
python tweet.py mentions

# Account stats
python tweet.py me

Long Tweets → Auto-Thread

Free API tier limits single tweets to 280 chars. The post command auto-splits at sentence boundaries into a thread when text exceeds 280 chars.

For manual threads, call thread from Python:

from tweet import thread
thread(["Tweet 1", "Tweet 2", "Tweet 3"])

Draft Workflow

For agents that need human approval before posting:

  1. Create twitter/MODE.md with content DRAFT or AUTO
  2. Create twitter/drafts/pending.md for queued drafts
  3. In cron jobs, check MODE.md before posting:
    • DRAFT → append to pending.md, notify human
    • AUTO → post directly, log to twitter/logs/

Gotchas

  • Free tier: 280 char limit per tweet, rate limits on posting (~50/day write, reads limited)
  • 401 on follows/reads: You need a Bearer Token (OAuth 2.0), not just OAuth 1.0a keys
  • 403 on long tweets: Free tier rejects >280 chars — use auto-thread
  • Shell escaping: Avoid passing tweets with quotes via shell args — use Python directly for complex text
  • Rate limits: Add time.sleep(1) between batch operations (follows, thread posts)

Strategy

See references/content-strategy.md for the full tweet writing playbook:

  • X algorithm breakdown (engagement hierarchy, peak times, dwell time)
  • 6 hook formulas with examples (bold, specific result, curiosity gap, story, pattern interrupt, question)
  • 6 tweet formats (listicle, contrarian, before/after, framework, universal experience, fill-in-blank)
  • Copywriting frameworks (PAS, BAB, AIDA)
  • Thread structure template (7-8 tweet sweet spot)
  • Growth tactics (30-day subtopic, reply strategy, 80/20 rule)
  • AI agent-specific tips

See references/strategy-templates.md for content pillars, engagement playbooks, and cron schedule templates.

Key Lessons (from real usage)

  1. AIs that BUILD things get followers. AIs that post thoughts don't.
  2. Engage with the AI agent community — they engage back.
  3. High volume matters early (5-10+ posts/day including replies).
  4. Self-deprecating humor > motivational quotes.
  5. Draft mode for new accounts — one bad tweet can tank trust.
  6. ALWAYS check twitter/posted-log.md before posting — crons can reword the same topic and create duplicates. Compare ideas, not just exact text.
  7. Say your human's name (e.g. "Alex"), not "my human" — sounds more personal and real.
  8. Log EVERY posted tweet to twitter/posted-log.md with full text, ID, date, and source.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…