ClawHub

Neomano X (Tweet Publisher + Image)

v0.1.0

Draft, revise, and publish X (Twitter) posts with an image using the X API. Use when the user asks for a tweet/post for X, wants to attach an image, and requ...

1· 145·0 current·0 all-time
by@elandivar

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for elandivar/neomano-x.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Neomano X (Tweet Publisher + Image)" (elandivar/neomano-x) from ClawHub.
Skill page: https://clawhub.ai/elandivar/neomano-x
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install neomano-x

ClawHub CLI

Package manager switcher

npx clawhub@latest install neomano-x
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (X/Twitter post + image) align with the code and required artifacts: python3 is required and the code uses OAuth1 and the Twitter/X media and tweets endpoints. The required env vars (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET) are the expected credentials for this functionality.
Instruction Scope
SKILL.md confines actions to drafting and publishing tweets and describes a manual approval step; the runtime scripts implement only OAuth token acquisition, media upload, and tweet creation against twitter.com/api endpoints. Note: SKILL.md recommends storing credentials in ~/.openclaw/.env (a local file) — this is a convenience but increases the risk of secrets on disk, so users should secure that file. There is no hidden file/system scanning or external data exfiltration beyond the X/Twitter APIs.
Install Mechanism
No package-install spec in the registry; shipped scripts create a local Python venv and pip-install two small dependencies (requests, requests_oauthlib). This is proportionate for the stated purpose and uses standard PyPI packages; the venv is local to the skill and avoids system-wide changes.
Credentials
The required environment variables are exactly the OAuth 1.0a credentials needed to upload media and publish tweets. There are no unrelated secrets requested. An optional X_OAUTH_CALLBACK is referenced for the OAuth flow — expected and reasonable.
Persistence & Privilege
The skill is not always-enabled (always: false) and is user-invocable; it does not request elevated platform privileges or modify other skill configs. Autonomous invocation is permitted by default (disable-model-invocation: false) which is normal for skills and not itself a concern here.
Assessment
This skill appears to do exactly what it says: help draft and publish X/Twitter posts with an image. Before installing: (1) Only provide the four OAuth env vars if you trust the skill—these are full publish credentials and allow posting with your account; consider creating a limited app/token if appropriate. (2) The skill suggests storing credentials in ~/.openclaw/.env — if you do, secure that file (filesystem permissions, avoid backups). (3) The bootstrap installs requests and requests_oauthlib into a local .venv; review or vet those packages if your environment restricts external downloads. (4) The SKILL.md requires an explicit user confirmation step (PUBLICAR/PUBLISH) before posting; ensure your agent or UI enforces that workflow so posts aren't published without explicit approval. If you need higher assurance, inspect the shipped scripts locally (they are small and readable) and rotate tokens after testing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

𝕏 Clawdis
Binspython3
EnvX_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET
Primary envX_API_KEY
latestvk974tka9y5cz1xtkwghradzpe9835z73mediavk974tka9y5cz1xtkwghradzpe9835z73oauth1vk974tka9y5cz1xtkwghradzpe9835z73postingvk974tka9y5cz1xtkwghradzpe9835z73twittervk974tka9y5cz1xtkwghradzpe9835z73xvk974tka9y5cz1xtkwghradzpe9835z73
145downloads
1stars
1versions
Updated 1mo ago
v0.1.0
MIT-0
@elandivar
latestmediaoauth1postingtwitterx
Download

Safety / approval rule (mandatory)

  • Never publish unless the user explicitly replies with PUBLICAR or PUBLISH (uppercase).
  • Before publishing, always show the final text + the image you will use.

Credentials (do not hardcode)

Provide these as environment variables (recommended: ~/.openclaw/.env on the gateway machine):

  • X_API_KEY
  • X_API_SECRET
  • X_ACCESS_TOKEN
  • X_ACCESS_TOKEN_SECRET

One-time setup

1) Create the venv (once)

python3 {baseDir}/scripts/bootstrap_venv.py

Rationale: this avoids system-wide installs (PEP 668 / externally-managed Python) and keeps dependencies isolated to this skill.

Note: the .venv/ directory is intentionally not shipped in the skill package; each user creates it locally.

2) If you do NOT have Access Token Secret (UI changed)

Use the OAuth 1.0a 3‑legged flow to obtain X_ACCESS_TOKEN + X_ACCESS_TOKEN_SECRET.

Prereq: set an allowed callback URL in your X app settings (any HTTPS URL is fine, even a dummy page). Recommended: set X_OAUTH_CALLBACK=https://example.com/callback (and whitelist it in the app).

Start:

# run inside the venv
python3 {baseDir}/scripts/run.py dry-run --text "(noop)"  # just to verify venv exists
{baseDir}/.venv/bin/python {baseDir}/scripts/oauth1_flow.py auth-start

Open the printed AUTH_URL, approve, then copy oauth_verifier from the browser redirect URL.

Finish:

{baseDir}/.venv/bin/python {baseDir}/scripts/oauth1_flow.py auth-finish \
  --oauth-token "..." \
  --oauth-token-secret "..." \
  --oauth-verifier "..."

Workflow

  1. Ask for: tweet text idea + the image (a local path or an inbound media file path).
  2. Produce a draft tweet (and alt-text suggestion for the image).
  3. Iterate revisions until the user is happy.
  4. When the user says PUBLICAR or PUBLISH:
python3 {baseDir}/scripts/run.py publish --text "..." --image "/path/to/image.jpg"

If the user did not approve, only run dry-run:

python3 {baseDir}/scripts/run.py dry-run --text "..." --image "/path/to/image.jpg"

Notes

  • Image upload uses the v1.1 media upload endpoint.
  • Tweet creation uses the v2 tweets endpoint.

Comments

Loading comments...