ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Auto-Tweet (Browser)

Automate posting on X by scraping trends, generating and scheduling tweets via browser without API costs, with approval workflows and human-like delays.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.4k · 6 current installs · 6 all-time installs
by@nightfullstar
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (scrape X trends, generate tweet ideas, post via browser) matches the included scripts (Playwright-based scraping and posting). However the docs repeatedly claim it will 'send to Telegram for approval' and reference scripts (mentions.js, like.js) that are not present and no Telegram integration or credentials are requested. That mismatch between documentation and delivered code is an incoherence.
!
Instruction Scope
Runtime instructions and scripts require connecting to a local browser CDP (http://127.0.0.1:18792) and driving an existing logged-in X session — expected for the stated task. But SKILL.md/WORKFLOW instructs sending approvals to Telegram and cron-driven remote workflows while no code or env vars implement Telegram or external endpoints. Also the skill asks you to keep a real logged-in browser session active: this allows the code to act as your user in that session and access any open tabs/cookies, which is a high-privilege operation and should be run from an isolated profile.
Install Mechanism
No remote downloads or obscure install steps; instruction-only skill with an npm install (playwright) in package.json. This is a standard dependency and the install mechanism is proportionate to browser automation.
!
Credentials
The skill declares no required credentials (and claims 'credential-free'), yet documentation describes sending messages to Telegram for approval. If Telegram approval is desired, credentials (bot token or webhook) would be required but are not requested or present in code. The omission is an incoherence that could lead users to wire up credentials themselves or run unsafe ad-hoc integrations.
Persistence & Privilege
The skill does not request 'always: true' or system-wide persistence. It requires an attached browser session and writes local data files under data/, which is expected for scheduling/queues. No modifications to other skills or global agent config are apparent.
What to consider before installing
This skill mostly does what it claims (uses Playwright to scrape X and post using your browser session), but there are important mismatches and operational risks you should consider before installing: - Missing Telegram integration: SKILL.md/workflow promises sending tweet ideas to Telegram for approval, but there is no Telegram code or credential fields. Expect to implement that yourself or accept that approval will be manual. - Browser privilege: the scripts connect to a local CDP (127.0.0.1:18792) and operate a logged-in browser. Run this only with a dedicated browser profile or isolated VM — do not attach it to your main browser profile that has personal accounts, cookies, or passwords. - Review and test locally first: inspect the scripts (they are small and readable) and run them in a controlled environment. Confirm data is only written to the local data/ directory and that there are no hidden network calls. The code shown does not phone home, but it can perform any action your logged-in browser session allows. - Terms-of-service risk: automating posting may violate X/Twitter ToS. Consider legal/ToS implications for your account. - If you want Telegram approvals, ask the skill author for the missing integration or add it yourself (and only then add the bot token as a credential in a secure way). If you don't want automated posting, keep the approval/manual posting workflow and don't whitelist full automation. Given the documentation/code inconsistencies and the sensitive privilege of controlling a logged-in browser, treat this skill as 'suspicious' until the Telegram/automation gaps are resolved and you run it from an isolated browser/profile.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97cq13tm3r99f8ek22w42wqj180j2mh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

X (Twitter) Automation Skill

Automate X posts via browser control - bypass $200/month API costs.

What It Does

  • Scrape trending topics from your personalized "For You" feed
  • Generate tweet ideas based on trends (crypto/Web3/tech focused)
  • Schedule tweets throughout the day for natural posting
  • Post via browser automation - no API keys needed
  • Queue management for approval workflows

Why This Exists

X API pricing is insane:

  • Free tier: Write-only, can't read anything
  • Basic: $200/month for 15k tweets read
  • Pro: $5,000/month

This skill uses browser automation instead. Zero API costs.

Features

Trend Scraping

  • Navigates to X.com/explore
  • Extracts trending topics from "For You" tab
  • Saves to JSON for AI processing

Tweet Generation

  • AI generates 3-5 tweet ideas based on trends
  • Customizable tone/voice
  • Length optimization (150-250 chars for engagement)

Scheduled Posting

  • Space tweets throughout the day
  • Human-like delays between posts
  • Approval queue workflow

Browser Automation

  • Uses OpenClaw browser control
  • Requires one-time login
  • Session persists across runs

Installation

cd ~/.openclaw/workspace/skills/x-automation
npm install

Usage

1. Manual Tweet Generation

Ask your agent:

"Check X trends and generate 3 tweet ideas"

The agent will:

  1. Navigate to X.com/explore
  2. Scrape trending topics
  3. Generate tweet ideas
  4. Send to you for approval
  5. Post approved tweets

2. Automated Posting (Cron)

Set up a cron job to run every 4 hours:

{
  "schedule": { "kind": "every", "everyMs": 14400000 },
  "payload": {
    "kind": "agentTurn",
    "message": "Check X trends, generate 2-3 tweet ideas, send to Telegram for approval"
  },
  "sessionTarget": "isolated"
}

3. Direct Posting

"Post this tweet: <your text>"

Configuration

No API keys needed! Just:

  1. Log in to X.com in OpenClaw browser
  2. Keep browser session active (or re-login when needed)
  3. Customize tweet voice in your SOUL.md or prompt

Tweet Generation Guidelines

Default focus areas (customize in your prompts):

  • Crypto trends (ETH, Base L2, DeFi)
  • Web3 development
  • Tech commentary
  • Product updates (if applicable)

Default tone:

  • Direct, opinionated
  • No corporate speak
  • Short & punchy (150-250 chars)
  • Engagement-focused

File Structure

x-automation/
├── scripts/
│   ├── auto-tweet.js       # Main automation
│   ├── post.js             # Single tweet posting
│   ├── post-approved.js    # Post from queue
│   └── check-trends.js     # View current trends
├── data/                   # Created on first run
│   ├── latest-trends.json
│   ├── approved-queue.json
│   └── tweet-history.json
├── SKILL.md
├── README.md
└── package.json

Safety Features

  • No auto-posting without approval (unless you configure it)
  • Human-like delays (30-60s between tweets)
  • Daily limits (configurable, default 10/day)
  • Queue review before posting

Anti-Detection

  • Uses real browser session (not headless)
  • Random delays between actions
  • Natural posting schedule
  • Human-like mouse movements (Playwright)

Limitations

  • Requires browser to stay logged in
  • Can be detected if too aggressive
  • Manual login required (can't automate 2FA)

Legal Note

This automates YOUR account via YOUR browser. You're not violating X ToS any more than using the website normally. Just don't spam.

Pro Tips

Optimal posting times (adjust for your timezone):

  • Morning: 9-10 AM (commute browsing)
  • Lunch: 1-2 PM (break time)
  • Evening: 7-9 PM (peak Twitter hours)
  • Late: 11 PM-12 AM (night crew)

Posting frequency:

  • 2-4 tweets/day is natural
  • Space out by 3-4 hours minimum
  • Don't post all at once

Content strategy:

  • Comment on trends (show you're plugged in)
  • Share insights (demonstrate expertise)
  • Mention your product (subtle, 1 in 5 tweets)
  • Engage with replies (build community)

Examples

See WORKFLOW.md for detailed examples of:

  • Trend scraping output
  • Generated tweet samples
  • Approval workflows
  • Scheduling strategies

Support

This skill is credential-free and safe to share. No API keys, no passwords, no private data.

Issues? Check:

  1. Is browser logged into X?
  2. Is OpenClaw browser control running?
  3. Are cron jobs properly configured?

Built for crypto devs who refuse to pay $200/month for an API that should be free.

Files

14 total
Select a file
Select a file to preview.

Comments

Loading comments…