Baoyu Danger X To Markdown

v1.103.2

Converts X (Twitter) tweets and articles to markdown with YAML front matter. Uses reverse-engineered API requiring user consent. Use when user mentions "X to...

⭐ 0· 913·39 current·39 all-time

byJim Liu 宝玉@jimliu

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jimliu/baoyu-danger-x-to-markdown.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Baoyu Danger X To Markdown" (jimliu/baoyu-danger-x-to-markdown) from ClawHub.
Skill page: https://clawhub.ai/jimliu/baoyu-danger-x-to-markdown
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install baoyu-danger-x-to-markdown

ClawHub CLI

Package manager switcher

npx clawhub@latest install baoyu-danger-x-to-markdown

Security Scan

Capability signals

Requires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name/description match the code: the repository contains TypeScript that fetches X/Twitter content (via reverse-engineered GraphQL endpoints), formats it to Markdown, and optionally downloads media. Requiring access to cookies or a bearer token is coherent with the stated purpose (to access protected or rate-limited content). However, the registry metadata lists no required environment variables while the code reads multiple X_* env vars (e.g., X_AUTH_TOKEN, X_CT0, X_BEARER_TOKEN, X_USER_AGENT, X_CLIENT_TRANSACTION_ID) — that mismatch is a transparency issue.

Instruction Scope

Runtime instructions and code perform actions beyond simple HTTP fetches: they read and write consent and preference files in user config directories (~/.baoyu-skills, ~/.local/share or macOS Library paths), read cookie files, may launch or attach to Chrome via CDP to capture cookies, and can write a cookie file containing auth tokens. The SKILL.md requires an interactive consent/first-time setup flow, but the code also loads credentials from environment variables and logs partial cookie values. All of this is within the functional scope but raises privacy concerns because sensitive credentials and local files are accessed and created.

ℹ

Install Mechanism

There is no formal install spec, but the skill ships executable TypeScript in scripts/ and expects to be run with bun or via `npx -y bun`. That means if bun isn't installed the runtime will invoke npx which can pull packages from npm at execution time. There are no remote download URLs in the manifest itself and no use of obscure download hosts, but the npx fallback implies runtime downloading of tooling (moderate risk) and the shipped code will be executed on the user's machine.

Credentials

Registry metadata declares no required environment variables, yet the code reads many X_* environment variables (X_AUTH_TOKEN, X_CT0, X_GUEST_TOKEN, X_TWID, X_BEARER_TOKEN, X_USER_AGENT, X_CLIENT_TRANSACTION_ID, X_CHROME_PATH, X_DEBUG_PORT). Those env vars are sensitive (auth tokens/cookies) and the skill will use them if present. The skill also writes cookie and preference files to user directories. The requested/used environment surface is significant and not documented in the metadata — a transparency and privilege concern.

ℹ

Persistence & Privilege

always:false and user-invocable:true (normal). The skill writes consent/EXTEND.md and a cookie file to user config locations and may persist cookies captured via CDP. It does not appear to modify other skills or system-wide agent settings, but it will store credentials locally and can relaunch/attach to Chrome. This persistent storage of auth cookies is expected for the functionality but increases the attack surface and requires user care.

What to consider before installing

This skill implements a reverse‑engineered X/Twitter client and will try to obtain/use auth cookies and tokens to fetch content. Before installing or running: - Don't supply real account tokens to untrusted code; prefer a throwaway account if you need to log in. - Expect the skill to write files to your home config dirs (~/.baoyu-skills, ~/.local/share, or macOS Library paths) and to create a cookie file containing X auth cookies. It will also create EXTEND.md and a consent file. - If bun is not installed the skill will use `npx -y bun`, which downloads code from npm at runtime — be aware of this behavior. - The SKILL.md declares a consent prompt, but the registry metadata does not list the environment variables the code will read; assume the skill will honor any X_* env vars present. - If you need this functionality but are uncomfortable with cookie persistence, inspect the code locally, run it in an isolated environment (container or VM), or avoid providing credentials and accept limited/no-auth operation. If you want me to, I can point to the exact file paths the skill will create, list the env vars the code checks for, or highlight the lines where cookie handling and file writes occur.

✗

scripts/paths.ts:39

Shell command execution detected (child_process).

✗

scripts/graphql.ts:256

Environment variable access combined with network send.

✗

scripts/http.ts:112

Environment variable access combined with network send.

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Any binbun, npx

latestvk974f3j7bmbqbq0dch0r83yt2n8598bc

913downloads

0stars

11versions

Updated 9h ago

v1.103.2

MIT-0

X to Markdown

Converts X content to markdown:

Tweets/threads → Markdown with YAML front matter
X Articles → Full content extraction

User Input Tools

When this skill prompts the user, follow this tool-selection rule (priority order):

Prefer built-in user-input tools exposed by the current agent runtime — e.g., AskUserQuestion, request_user_input, clarify, ask_user, or any equivalent.
Fallback: if no such tool exists, emit a numbered plain-text message and ask the user to reply with the chosen number/answer for each question.
Batching: if the tool supports multiple questions per call, combine all applicable questions into a single call; if only single-question, ask them one at a time in priority order.

Concrete AskUserQuestion references below are examples — substitute the local equivalent in other runtimes.

Script Directory

Scripts located in scripts/ subdirectory.

Path Resolution:

{baseDir} = this SKILL.md's directory
Script path = {baseDir}/scripts/main.ts
Resolve ${BUN_X} runtime: if bun installed → bun; if npx available → npx -y bun; else suggest installing bun

Consent Requirement

Before any conversion, check and obtain consent.

Consent Flow

Step 1: Check consent file

# macOS
cat ~/Library/Application\ Support/baoyu-skills/x-to-markdown/consent.json

# Linux
cat ~/.local/share/baoyu-skills/x-to-markdown/consent.json

Step 2: If accepted: true and disclaimerVersion: "1.0" → print warning and proceed:

Warning: Using reverse-engineered X API. Accepted on: <acceptedAt>

Step 3: If missing or version mismatch → display disclaimer:

DISCLAIMER

This tool uses a reverse-engineered X API, NOT official.

Risks:
- May break if X changes API
- No guarantees or support
- Possible account restrictions
- Use at your own risk

Accept terms and continue?

Use AskUserQuestion with options: "Yes, I accept" | "No, I decline"

Step 4: On accept → create consent file:

{
  "version": 1,
  "accepted": true,
  "acceptedAt": "<ISO timestamp>",
  "disclaimerVersion": "1.0"
}

Step 5: On decline → output "User declined. Exiting." and stop.

Preferences (EXTEND.md)

Check EXTEND.md in priority order — the first one found wins:

Priority	Path	Scope
1	`.baoyu-skills/baoyu-danger-x-to-markdown/EXTEND.md`	Project
2	`${XDG_CONFIG_HOME:-$HOME/.config}/baoyu-skills/baoyu-danger-x-to-markdown/EXTEND.md`	XDG
3	`$HOME/.baoyu-skills/baoyu-danger-x-to-markdown/EXTEND.md`	User home

Result	Action
Found	Read, parse, apply settings
Not found	MUST run first-time setup (see below) — do NOT silently create defaults

EXTEND.md supports: Download media by default, default output directory.

First-Time Setup (BLOCKING)

CRITICAL: When EXTEND.md is not found, you MUST use AskUserQuestion to ask the user for their preferences before creating EXTEND.md. NEVER create EXTEND.md with defaults without asking. This is a BLOCKING operation — do NOT proceed with any conversion until setup is complete.

Use AskUserQuestion with ALL questions in ONE call:

Question 1 — header: "Media", question: "How to handle images and videos in tweets?"

"Ask each time (Recommended)" — After saving markdown, ask whether to download media
"Always download" — Always download media to local imgs/ and videos/ directories
"Never download" — Keep original remote URLs in markdown

Question 2 — header: "Output", question: "Default output directory?"

"x-to-markdown (Recommended)" — Save to ./x-to-markdown/{username}/{tweet-id}.md
(User may choose "Other" to type a custom path)

Question 3 — header: "Save", question: "Where to save preferences?"

"User (Recommended)" — ~/.baoyu-skills/ (all projects)
"Project" — .baoyu-skills/ (this project only)

After user answers, create EXTEND.md at the chosen location, confirm "Preferences saved to [path]", then continue.

Full reference: references/config/first-time-setup.md

Supported Keys

Key	Default	Values	Description
`download_media`	`ask`	`ask` / `1` / `0`	`ask` = prompt each time, `1` = always download, `0` = never
`default_output_dir`	empty	path or empty	Default output directory (empty = `./x-to-markdown/`)

Value priority:

CLI arguments (--download-media, -o)
EXTEND.md
Skill defaults

Usage

${BUN_X} {baseDir}/scripts/main.ts <url>
${BUN_X} {baseDir}/scripts/main.ts <url> -o output.md
${BUN_X} {baseDir}/scripts/main.ts <url> --download-media
${BUN_X} {baseDir}/scripts/main.ts <url> --json

Options

Option	Description
`<url>`	Tweet or article URL
`-o <path>`	Output path
`--json`	JSON output
`--download-media`	Download image/video assets to local `imgs/` and `videos/`, and rewrite markdown links to local relative paths
`--login`	Refresh cookies only

Supported URLs

https://x.com/<user>/status/<id>
https://twitter.com/<user>/status/<id>
https://x.com/i/article/<id>

Output

---
url: "https://x.com/user/status/123"
author: "Name (@user)"
tweetCount: 3
coverImage: "https://pbs.twimg.com/media/example.jpg"
---

Content...

File structure: x-to-markdown/{username}/{tweet-id}/{content-slug}.md

When --download-media is enabled:

Images are saved to imgs/ next to the markdown file
Videos are saved to videos/ next to the markdown file
Markdown media links are rewritten to local relative paths

Media Download Workflow

Based on download_media setting in EXTEND.md:

Setting	Behavior
`1` (always)	Run script with `--download-media` flag
`0` (never)	Run script without `--download-media` flag
`ask` (default)	Follow the ask-each-time flow below

Ask-Each-Time Flow

Run script without --download-media → markdown saved
Check saved markdown for remote media URLs (https:// in image/video links)
If no remote media found → done, no prompt needed
If remote media found → use AskUserQuestion:
- header: "Media", question: "Download N images/videos to local files?"
- "Yes" — Download to local directories
- "No" — Keep remote URLs
If user confirms → run script again with --download-media (overwrites markdown with localized links)

Authentication

Environment variables (preferred): X_AUTH_TOKEN, X_CT0
Chrome login (fallback): Auto-opens Chrome, caches cookies locally

Extension Support

Custom configurations via EXTEND.md. See Preferences section for paths and supported options.

Comments

Loading comments...