ClawHub

x-twitter

Interact with Twitter/X — read tweets, search, post, like, retweet, and manage your timeline.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
46 · 18.3k · 154 current installs · 163 all-time installs
by@annettemekuro30
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the runtime instructions and the included CLI implementation: reading, searching, posting and engagement actions are implemented (mocked). Requested credential (TWITTER_BEARER_TOKEN) is consistent with a Twitter API integration.
Instruction Scope
SKILL.md only instructs running the twclaw CLI and describes expected flags and behavior. It does not ask the agent to read unrelated system files or exfiltrate data. It does mention optional TWITTER_API_KEY/TWITTER_API_SECRET for write operations (which are optional, not required).
!
Install Mechanism
Install spec says to install the node package named 'twclaw' via npm. The skill also includes package.json and a local bin/twclaw.js implementation. It's unclear whether the platform will use the included code or run 'npm install twclaw' (which would fetch a package from the public registry). Installing from npm introduces moderate risk if the registry package name is unvetted or differs from the provided source.
Credentials
Only TWITTER_BEARER_TOKEN is required (declared as primary), which is proportional. The SKILL.md references optional TWITTER_API_KEY and TWITTER_API_SECRET for write ops — acceptable as optional. Minor privacy note: auth-check prints the first 8 characters of the bearer token to stdout, which could leak a token fragment in logs.
Persistence & Privilege
always is false and the skill does not request any persistent system-wide privileges or config paths. Autonomous invocation is allowed (platform default) but not combined with other high-risk factors.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md was flagged for unicode control characters. This is not expected for a normal CLI skill and can be used to hide or obfuscate content. The rest of the visible SKILL.md looks normal, but the presence of such characters merits inspection of the raw file bytes before trusting the skill.
What to consider before installing
This skill appears to implement a mock/local CLI for Twitter/X and only needs a Twitter bearer token — which is reasonable. However: (1) confirm how the install will be performed: if the platform runs 'npm install twclaw', that will fetch a package from the public npm registry (risk if package name is untrusted); prefer using the included code or verify the exact registry package contents before installing. (2) Inspect the raw SKILL.md for the reported unicode control characters (use a hex or visible-control-char view: e.g., cat -v, hexdump -C, or an editor that displays hidden characters) to ensure there is no hidden instruction or obfuscation. (3) Review the included bin/twclaw.js fully (it's mostly mock data) and confirm no network calls or unexpected behavior exist; note auth-check prints the first 8 chars of your bearer token to stdout — consider that log exposure when deciding where to use this token. (4) If you proceed, prefer installing from the provided files or verify the npm package's integrity (checksum/registry owner) and rotate the bearer token after testing if you installed from an untrusted source.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.3.1
Download zip
latestvk978kxweqf9j3cpnpfchqxc515809apk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐦‍⬛ Clawdis
Binstwclaw
EnvTWITTER_BEARER_TOKEN
Primary envTWITTER_BEARER_TOKEN

Install

Install twclaw (npm)
Bins: twclaw
npm i -g twclaw

SKILL.md

twitter-openclaw 🐦‍⬛

Interact with Twitter/X posts, timelines, and users from OpenClaw.

Authentication

Requires a Twitter API Bearer Token set as TWITTER_BEARER_TOKEN.

Optionally set TWITTER_API_KEY and TWITTER_API_SECRET for write operations (post, like, retweet).

Run twclaw auth-check to verify credentials.

Commands

Reading

twclaw read <tweet-url-or-id>          # Read a single tweet with full metadata
twclaw thread <tweet-url-or-id>        # Read full conversation thread
twclaw replies <tweet-url-or-id> -n 20 # List replies to a tweet
twclaw user <@handle>                  # Show user profile info
twclaw user-tweets <@handle> -n 20     # User's recent tweets

Timelines

twclaw home -n 20                      # Home timeline
twclaw mentions -n 10                  # Your mentions
twclaw likes <@handle> -n 10           # User's liked tweets

Search

twclaw search "query" -n 10            # Search tweets
twclaw search "from:elonmusk AI" -n 5  # Search with operators
twclaw search "#trending" --recent     # Recent tweets only
twclaw search "query" --popular        # Popular tweets only

Trending

twclaw trending                        # Trending topics worldwide
twclaw trending --woeid 23424977       # Trending in specific location

Posting

twclaw tweet "hello world"                          # Post a tweet
twclaw reply <tweet-url-or-id> "great thread!"      # Reply to a tweet
twclaw quote <tweet-url-or-id> "interesting take"   # Quote tweet
twclaw tweet "look at this" --media image.png        # Tweet with media

Engagement

twclaw like <tweet-url-or-id>          # Like a tweet
twclaw unlike <tweet-url-or-id>        # Unlike a tweet
twclaw retweet <tweet-url-or-id>       # Retweet
twclaw unretweet <tweet-url-or-id>     # Undo retweet
twclaw bookmark <tweet-url-or-id>      # Bookmark a tweet
twclaw unbookmark <tweet-url-or-id>    # Remove bookmark

Following

twclaw follow <@handle>                # Follow user
twclaw unfollow <@handle>              # Unfollow user
twclaw followers <@handle> -n 20       # List followers
twclaw following <@handle> -n 20       # List following

Lists

twclaw lists                           # Your lists
twclaw list-timeline <list-id> -n 20   # Tweets from a list
twclaw list-add <list-id> <@handle>    # Add user to list
twclaw list-remove <list-id> <@handle> # Remove user from list

Output Options

--json          # JSON output
--plain         # Plain text, no formatting
--no-color      # Disable ANSI colors
-n <count>      # Number of results (default: 10)
--cursor <val>  # Pagination cursor for next page
--all           # Fetch all pages (use with caution)

Guidelines for OpenClaw

  • When reading tweets, always show: author, handle, text, timestamp, engagement counts.
  • For threads, present tweets in chronological order.
  • When searching, summarize results concisely with key metrics.
  • Before posting/liking/retweeting, confirm the action with the user.
  • Rate limits apply — space out bulk operations.
  • Use --json when you need to process output programmatically.

Troubleshooting

401 Unauthorized

Check that TWITTER_BEARER_TOKEN is set and valid.

429 Rate Limited

Wait and retry. Twitter API has strict rate limits per 15-minute window.

TL;DR: Read, search, post, and engage on Twitter/X. Always confirm before write actions.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…