X Twitter

X/Twitter manager: post, reply, search, like, retweet & get analytics. Requires: powershell/pwsh. Reads ~/.config/x-twitter/credentials.json (X_API_KEY, X_AP...

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 213 · 0 current installs · 0 all-time installs

byJoseph Maynite@seph1709

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name, description, declared required binaries (powershell/pwsh), and the explicit requirement to read ~/.config/x-twitter/credentials.json align with a Twitter/X API manager that needs OAuth keys and secrets. There are no unrelated env vars, binaries, or config paths requested.

✓

Instruction Scope

SKILL.md explicitly instructs the agent to read the local credentials file, construct OAuth 1.0a headers, and call api.twitter.com endpoints. It does not instruct reading unrelated system files, requesting other credentials, or sending data to third-party endpoints. The doc also advises restricting file permissions and rotating tokens, which is appropriate operational guidance.

✓

Install Mechanism

There is no install spec and no code files to write to disk; the skill is instruction-only. This minimizes install-time risk—nothing is downloaded or installed by the skill itself.

✓

Credentials

The only sensitive data required are the four OAuth fields stored in the declared credentials.json path, which is necessary for the stated capabilities. No unrelated credentials or broad environment access is requested.

✓

Persistence & Privilege

always is false (default), the skill is user-invocable and may be called autonomously (platform default) but does not request permanent presence or system-wide configuration changes.

Assessment

This skill appears coherent for managing an X/Twitter account via API using PowerShell and a local credentials file. Before installing: (1) Create a dedicated X Developer App and use app/tokens with the minimum permissions needed (prefer read-only when possible until you need write actions). (2) Store credentials in the indicated file and set strict file permissions (chmod 600 / icacls) as recommended. (3) Treat the access token/secret as sensitive and rotate/revoke them if the host or skill usage is ever suspect. (4) Remember the skill is instruction-only: it relies on the agent's runtime for network calls — only grant it to agents you trust to make requests to api.twitter.com. (5) If you need stronger assurance, review the truncated request examples in SKILL.md (or test in an isolated environment) to confirm all network calls go only to api.twitter.com and that no additional telemetry or external endpoints are used.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2

Download zip

latestvk977yzgknmh6869rjj7dy4yej5822r64

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

[x] Clawdis

Any binpowershell, pwsh

SKILL.md

x-twitter - Universal X/Twitter API Skill

Constructs and executes X API v2 calls inline based on what the user wants. No scripts needed.

API version: v2 Base URL: https://api.twitter.com/2

Requires an X Developer App with OAuth 1.0a User Context credentials. Free tier supports posting, reading own timeline, and basic lookups. Elevated/Pro tier required for search and higher rate limits.

STEP 1 - Load Credentials

Credentials are stored in ~/.config/x-twitter/credentials.json.

$cfg           = Get-Content "$HOME/.config/x-twitter/credentials.json" -Raw | ConvertFrom-Json
$apiKey        = $cfg.X_API_KEY
$apiSecret     = $cfg.X_API_SECRET
$accessToken   = $cfg.X_ACCESS_TOKEN
$accessSecret  = $cfg.X_ACCESS_SECRET

If the file does not exist, guide setup. Required fields:

Field	Purpose
`X_API_KEY`	App API Key (Consumer Key) - from X Developer Portal
`X_API_SECRET`	App API Secret (Consumer Secret) - from X Developer Portal
`X_ACCESS_TOKEN`	Account Access Token - from X Developer Portal
`X_ACCESS_SECRET`	Account Access Token Secret - from X Developer Portal

One-time setup:

Go to X Developer Portal
Create a Project and App (or use existing)
Under App Settings -> User authentication settings: enable OAuth 1.0a with Read and Write permissions
Go to App Keys and Tokens -> Generate Access Token and Secret (for your own account)
Save all four values:

@{
    X_API_KEY       = "your_api_key"
    X_API_SECRET    = "your_api_secret"
    X_ACCESS_TOKEN  = "your_access_token"
    X_ACCESS_SECRET = "your_access_token_secret"
} | ConvertTo-Json | Set-Content "$HOME/.config/x-twitter/credentials.json" -Encoding UTF8

Restrict file permissions immediately after saving:

# Windows
icacls "$HOME/.config/x-twitter/credentials.json" /inheritance:r /grant:r "$($env:USERNAME):(R,W)"
# macOS / Linux
# chmod 600 ~/.config/x-twitter/credentials.json

Never commit this file to version control. It contains long-lived secrets. Rotate X_ACCESS_TOKEN and X_ACCESS_SECRET periodically and immediately if the host is ever compromised. X_API_KEY and X_API_SECRET are app-level credentials - keep them permanently but treat as sensitive. This skill makes no external calls other than to api.twitter.com. No data is forwarded to third parties.

STEP 2 - Figure Out the API Call

X API v2 uses OAuth 1.0a for user-context actions (post, delete, like, retweet) and Bearer Token for read-only public data. This skill uses OAuth 1.0a for all calls (covers both read and write).

OAuth 1.0a Signing Helper

All requests require an OAuth 1.0a Authorization header. Use this helper:

function Get-OAuthHeader {
    param($method, $url, $apiKey, $apiSecret, $accessToken, $accessSecret, [hashtable]$params = @{})
    $nonce     = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([System.Guid]::NewGuid().ToString("N")))
    $timestamp = [int][double]::Parse(([datetime]::UtcNow - [datetime]"1970-01-01").TotalSeconds)
    $oauthParams = @{
        oauth_consumer_key     = $apiKey
        oauth_nonce            = $nonce
        oauth_signature_method = "HMAC-SHA1"
        oauth_timestamp        = $timestamp
        oauth_token            = $accessToken
        oauth_version          = "1.0"
    }
    # Merge all params for signature base
    $allParams = @{}
    $oauthParams.GetEnumerator() | ForEach-Object { $allParams[$_.Key] = $_.Value }
    $params.GetEnumerator() | ForEach-Object { $allParams[$_.Key] = $_.Value }
    # Build signature base string
    $sortedParams = ($allParams.GetEnumerator() | Sort-Object Key | ForEach-Object {
        "$([Uri]::EscapeDataString($_.Key))=$([Uri]::EscapeDataString($_.Value))"
    }) -join "&"
    $baseString = "$method&$([Uri]::EscapeDataString($url))&$([Uri]::EscapeDataString($sortedParams))"
    # Sign
    $signingKey = "$([Uri]::EscapeDataString($apiSecret))&$([Uri]::EscapeDataString($accessSecret))"
    $hmac = New-Object System.Security.Cryptography.HMACSHA1
    $hmac.Key = [System.Text.Encoding]::ASCII.GetBytes($signingKey)
    $signature = [System.Convert]::ToBase64String($hmac.ComputeHash([System.Text.Encoding]::ASCII.GetBytes($baseString)))
    $oauthParams["oauth_signature"] = $signature
    # Build header
    $headerParts = $oauthParams.GetEnumerator() | Sort-Object Key | ForEach-Object {
        "$([Uri]::EscapeDataString($_.Key))=`"$([Uri]::EscapeDataString($_.Value))`""
    }
    return "OAuth $($headerParts -join ', ')"
}

Common Endpoints

What user wants	Method	Endpoint
Post a tweet	POST	`/tweets` body: `text`
Reply to a tweet	POST	`/tweets` body: `text` + `reply.in_reply_to_tweet_id`
Quote a tweet	POST	`/tweets` body: `text` + `quote_tweet_id`
Delete a tweet	DELETE	`/tweets/{id}`
Like a tweet	POST	`/users/{id}/likes` body: `tweet_id`
Unlike a tweet	DELETE	`/users/{id}/likes/{tweet_id}`
Retweet	POST	`/users/{id}/retweets` body: `tweet_id`
Undo retweet	DELETE	`/users/{id}/retweets/{tweet_id}`
Get own timeline	GET	`/users/{id}/tweets?max_results=10&tweet.fields=created_at,public_metrics`
Get home timeline	GET	`/users/{id}/timelines/reverse_chronological?max_results=10`
Search recent tweets	GET	`/tweets/search/recent?query=...&max_results=10`
Get tweet by ID	GET	`/tweets/{id}?tweet.fields=created_at,public_metrics,author_id`
Get own user info	GET	`/users/me?user.fields=username,name,public_metrics,description`
Get user by username	GET	`/users/by/username/{username}?user.fields=public_metrics`
Get followers	GET	`/users/{id}/followers?max_results=100`
Get following	GET	`/users/{id}/following?max_results=100`
Follow a user	POST	`/users/{id}/following` body: `target_user_id`
Unfollow a user	DELETE	`/users/{id}/following/{target_id}`
Get mentions	GET	`/users/{id}/mentions?max_results=10&tweet.fields=created_at,author_id`
Get bookmarks	GET	`/users/{id}/bookmarks?max_results=10`
Bookmark a tweet	POST	`/users/{id}/bookmarks` body: `tweet_id`
Create a list	POST	`/lists` body: `name`, `private`
Get own lists	GET	`/users/{id}/owned_lists`
Add member to list	POST	`/lists/{id}/members` body: `user_id`

API Call Patterns

GET:

$url    = "https://api.twitter.com/2/ENDPOINT"
$authHeader = Get-OAuthHeader -method "GET" -url $url -apiKey $apiKey -apiSecret $apiSecret -accessToken $accessToken -accessSecret $accessSecret
$result = Invoke-RestMethod -Uri $url -Headers @{ Authorization = $authHeader } -ErrorAction Stop

GET with query params (include in signature):

$url    = "https://api.twitter.com/2/tweets/search/recent"
$qp     = @{ query = "from:username"; max_results = "10" }
$authHeader = Get-OAuthHeader -method "GET" -url $url -apiKey $apiKey -apiSecret $apiSecret -accessToken $accessToken -accessSecret $accessSecret -params $qp
$qs     = ($qp.GetEnumerator() | ForEach-Object { "$($_.Key)=$([Uri]::EscapeDataString($_.Value))" }) -join "&"
$result = Invoke-RestMethod -Uri "$url`?$qs" -Headers @{ Authorization = $authHeader } -ErrorAction Stop

POST (JSON body):

$url    = "https://api.twitter.com/2/tweets"
$body   = @{ text = "Hello from OpenClaw!" } | ConvertTo-Json
$authHeader = Get-OAuthHeader -method "POST" -url $url -apiKey $apiKey -apiSecret $apiSecret -accessToken $accessToken -accessSecret $accessSecret
$result = Invoke-RestMethod -Uri $url -Method POST -Headers @{ Authorization = $authHeader; "Content-Type" = "application/json" } -Body $body -ErrorAction Stop
Write-Host "Posted tweet ID: $($result.data.id)"

DELETE:

$url    = "https://api.twitter.com/2/tweets/{id}"
$authHeader = Get-OAuthHeader -method "DELETE" -url $url -apiKey $apiKey -apiSecret $apiSecret -accessToken $accessToken -accessSecret $accessSecret
$result = Invoke-RestMethod -Uri $url -Method DELETE -Headers @{ Authorization = $authHeader } -ErrorAction Stop

Get Own User ID (needed for user-context endpoints)

$url    = "https://api.twitter.com/2/users/me"
$authHeader = Get-OAuthHeader -method "GET" -url $url -apiKey $apiKey -apiSecret $apiSecret -accessToken $accessToken -accessSecret $accessSecret
$me     = Invoke-RestMethod -Uri $url -Headers @{ Authorization = $authHeader } -ErrorAction Stop
$userId = $me.data.id

Post with Media (image attachment)

# Step 1: Upload media via v1.1 endpoint (media upload is not on v2 yet)
$mediaUrl   = "https://upload.twitter.com/1.1/media/upload.json"
$fileBytes  = [System.IO.File]::ReadAllBytes($imagePath)
$b64        = [System.Convert]::ToBase64String($fileBytes)
$uploadAuth = Get-OAuthHeader -method "POST" -url $mediaUrl -apiKey $apiKey -apiSecret $apiSecret -accessToken $accessToken -accessSecret $accessSecret
$upload     = Invoke-RestMethod -Uri $mediaUrl -Method POST -Headers @{ Authorization = $uploadAuth; "Content-Type" = "application/json" } `
    -Body (@{ media_data = $b64 } | ConvertTo-Json) -ErrorAction Stop
$mediaId    = $upload.media_id_string
# Step 2: Post tweet with media
$tweetUrl   = "https://api.twitter.com/2/tweets"
$tweetAuth  = Get-OAuthHeader -method "POST" -url $tweetUrl -apiKey $apiKey -apiSecret $apiSecret -accessToken $accessToken -accessSecret $accessSecret
$result     = Invoke-RestMethod -Uri $tweetUrl -Method POST `
    -Headers @{ Authorization = $tweetAuth; "Content-Type" = "application/json" } `
    -Body (@{ text = $caption; media = @{ media_ids = @($mediaId) } } | ConvertTo-Json -Depth 3) -ErrorAction Stop
Write-Host "Posted tweet with media ID: $($result.data.id)"

STEP 3 - Handle Errors

try {
    # ... API call ...
} catch {
    $err    = $_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue
    $status = $_.Exception.Response.StatusCode.value__
    $title  = $err.title
    $detail = $err.detail
    Write-Host "HTTP $status - $title : $detail"
}

HTTP Status	Title / Code	Meaning	Fix
400	Invalid Request	Bad parameters or malformed JSON	Check required fields; ensure JSON body is valid
401	Unauthorized	Invalid or expired credentials	Regenerate Access Token and Secret in Developer Portal
403	Forbidden	App lacks permission or write access disabled	Enable Read and Write in App -> User authentication settings
403	duplicate-content	Tweet text is a duplicate	Change the tweet text
429	Too Many Requests	Rate limit exceeded	Check `x-rate-limit-reset` header; wait until reset time
404	Not Found	Tweet or user does not exist	Verify the ID; tweet may have been deleted
453	Access to endpoint denied	Endpoint requires elevated access tier	Upgrade to Basic/Pro at developer.twitter.com

Rate Limits (Free Tier)

Action	Limit
POST /tweets	17 tweets per 24h per user; 50 per app
DELETE /tweets	50 per 15 min
GET /users/me	25 per 24h
GET /tweets/search/recent	Requires Basic tier or above
GET timelines	5 per 15 min (Free); 180 per 15 min (Basic)

If rate limited: read the x-rate-limit-reset response header (Unix timestamp) and tell the user when they can retry.

Access Tiers

Tier	Cost	Key limits
Free	$0	17 tweets/day write; very limited read
Basic	$100/month	100 tweets/day; search; higher read limits
Pro	$5000/month	Full access; high rate limits

AGENT RULES

Always load credentials first. If missing or incomplete, guide setup.
Always use OAuth 1.0a via the Get-OAuthHeader helper - never send raw tokens in query strings.
Get own user ID first when calling user-context endpoints (/users/{id}/...) - use /users/me.
Never embed tokens as literals - read all four credential fields fresh from disk at runtime.
Rotate credentials if the host is ever compromised: regenerate Access Token and Secret in Developer Portal.
Rate limits: on HTTP 429, read x-rate-limit-reset header and tell the user the exact retry time.
Free tier restrictions: search requires Basic tier; if user gets 453 "Access to endpoint denied", tell them the required tier and link to developer.twitter.com/en/portal/products.
Media upload: uses v1.1 upload endpoint (upload.twitter.com) - this is intentional and expected; it is still Twitter/X infrastructure. State this if the user asks.
Least-privilege: instruct user to enable only Read and Write in app settings; do not request DM permissions unless explicitly needed.
All API calls go to api.twitter.com and upload.twitter.com only - both are X/Twitter infrastructure. No external forwarding, no third-party services.
Construct API calls inline from user intent - do not look for script files.
On any error: parse HTTP status, map to the table above, tell the user exactly what to do.
Duplicate tweet: if user tries to post the same text twice, tell them X blocks duplicate content and ask them to change the wording.

Files

2 total

Select a file

Select a file to preview.

Comments

Loading comments…