ClawHub

X Api

Post to X (Twitter) using the official API with OAuth 1.0a. Use when you need to tweet, post updates, or publish content. Bypasses rate limits and bot detection that affect cookie-based approaches like bird CLI.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
40 · 5.3k · 36 current installs · 38 all-time installs
by@lobstergeneralintelligence
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name, README, SKILL.md, and script all align: it posts to X via the official API and requires OAuth 1.0a credentials. However the registry metadata claims no required env vars/primary credential while the runtime clearly requires four credentials (consumer key/secret and access token/secret). This mismatch is an incoherence in the metadata, not the implementation.
Instruction Scope
Runtime instructions and the script are narrowly scoped to posting tweets. The script only reads credentials (from env vars or the stated config paths) and calls the official API via the twitter-api-v2 library. It does not attempt to read unrelated system files or contact unexpected endpoints.
Install Mechanism
There is no bundled install spec (instruction-only skill) and the project depends on the npm package twitter-api-v2 declared in package.json. The SKILL.md recommends running npm install (or -g). This is a standard, moderate-risk dependency install; verify the package/version via npm and consider running npm audit before installing globally.
!
Credentials
The runtime requires four sensitive credentials (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_SECRET) and accepts a config file at ~/.clawdbot/secrets/x-api.json or ./.x-api.json. Those requirements are proportionate to posting on X, but the registry metadata incorrectly lists no required env vars/credentials. Also note the fallback to a .x-api.json in the current working directory — storing secrets there could be riskier than a secure home config file.
Persistence & Privilege
The skill does not request persistent, elevated, or always-on privileges (always: false). It does not modify other skills or system-wide settings. It just provides a CLI script invoked by the user or the agent.
Assessment
This skill's code matches its description: it posts tweets using OAuth 1.0a and requires four X credentials. Before installing: (1) be aware the registry metadata omitted the required credentials — the SKILL.md/script expect X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_SECRET or a config file; (2) store credentials securely (prefer a single-purpose file in your home directory with restricted permissions rather than ./.x-api.json); (3) review and verify the npm dependency (twitter-api-v2) and run npm audit or install in an isolated environment if you have concerns; (4) the README claim that this “bypasses rate limits and bot detection” is marketing — expect standard API limits/requirements and billing from X; (5) confirm you trust the skill owner (no homepage provided) and inspect the script yourself — it does not exfiltrate secrets or call unexpected hosts. If any of these checks fail or you are uncomfortable storing OAuth tokens, do not install the skill.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk979h1nvppmsbrvdwy9jqcf17h803j2t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

x-api 🐦

Post to X using the official API (OAuth 1.0a).

When to Use

  • Posting tweets (cookie-based bird tweet gets blocked by bot detection)
  • Official API access is needed for reliability

For reading (timeline, search, mentions), use bird CLI instead — it's free and works well for reads.

Setup

1. Get API Credentials

  1. Go to https://developer.x.com/en/portal/dashboard
  2. Create a Project and App
  3. Set App permissions to Read and Write
  4. Get your keys from "Keys and tokens" tab:
    • API Key (Consumer Key)
    • API Key Secret (Consumer Secret)
    • Access Token
    • Access Token Secret

2. Configure Credentials

Option A: Environment variables

export X_API_KEY="your-api-key"
export X_API_SECRET="your-api-secret"
export X_ACCESS_TOKEN="your-access-token"
export X_ACCESS_SECRET="your-access-token-secret"

Option B: Config file at ~/.clawdbot/secrets/x-api.json

{
  "consumerKey": "your-api-key",
  "consumerSecret": "your-api-secret",
  "accessToken": "your-access-token",
  "accessTokenSecret": "your-access-token-secret"
}

3. Install Dependency

npm install -g twitter-api-v2

Post a Tweet

x-post "Your tweet text here"

Or with full path:

node /path/to/skills/x-api/scripts/x-post.mjs "Your tweet text here"

Supports multi-line tweets:

x-post "Line one

Line two

Line three"

Returns the tweet URL on success.

Limits

  • Free tier: 1,500 posts/month (requires credits in X Developer Portal)
  • Basic tier ($100/mo): Higher limits

Reading (use bird)

For reading, searching, and monitoring — use the bird CLI:

bird home                    # Timeline
bird mentions                # Mentions
bird search "query"          # Search
bird user-tweets @handle     # User's posts
bird read <tweet-url>        # Single tweet

Troubleshooting

402 Credits Depleted: Add credits in X Developer Portal → Dashboard

401 Unauthorized: Regenerate Access Token (ensure Read+Write permissions are set first)

No credentials found: Set env vars or create config file (see Setup above)

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…