X-CLI Toolkit
v1.0.0Full-featured X/Twitter toolkit — read, search, post, interact, DMs, lists, polls, trends. Cookie auth, proxy support, no API keys needed.
⭐ 2· 694·1 current·1 all-time
byIGN Software@ignsoftwarellc
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the implementation: the scripts use twikit to interact with X via cookie-based auth and provide reading, search, posting, DMs, lists, media upload, etc. No unrelated credentials or binaries are requested. Requiring a cookies.json or username/password in config.json is consistent with the stated 'cookie auth, no API keys' model.
Instruction Scope
SKILL.md and README instruct the agent to clone, install, configure, and authenticate automatically and explicitly suggest giving username/password to the agent. The code reads/writes config.json and cookies.json in the skill folder and directs the agent to run arbitrary scripts via exec — this expands the agent's access to user credentials and to site content (media fetched via web_fetch). While functional for the stated purpose, the runtime instructions grant the agent broad discretion to obtain and store sensitive credentials and session cookies.
Install Mechanism
No arbitrary remote downloads or custom installers are used. The only external package referenced is twikit via pip (requirements.txt). The skill is distributed as code files (no install spec), which will be executed by the agent — expected but means code runs locally on the agent.
Credentials
The skill does not request platform env vars but expects sensitive secrets in config.json (x_password/x_username or cookies.json). The README explicitly suggests telling the agent your username/password which risks exposing credentials in chat or in files under the agent's skill directory. Storing cookies.json in the skill directory creates persistent session material that other processes or skills could potentially access if the host environment is shared.
Persistence & Privilege
always:false (good). The skill writes cookies and config files into its own directory (normal), and the README suggests installing as a global skill. It does not request to modify other skills or system configs. The combination of agent-run exec plus instructions to auto-install/authenticate increases blast radius if credentials are provided.
What to consider before installing
This skill appears to do what it says, but exercise caution before installing or using it with your real X account. Key points:
- The tool authenticates with either a cookies.json file or username/password stored in config.json. Do NOT paste your account password into a chat with an agent unless you fully trust that agent and environment.
- cookies.json contains session tokens that function like passwords; if created, they live in the skill directory and could be read by other processes/users on the machine. Prefer using a throwaway/X test account rather than your primary account.
- The README explicitly suggests instructing the agent to clone/install and supply credentials automatically — this is convenient but high-risk. If you use the skill, require manual confirmation before the agent runs login/posting commands and avoid giving credentials via conversational channels.
- The code depends on twikit which uses private web GraphQL endpoints (not official API). This can break or violate X's terms of service; consider legal/TOS implications.
- If you decide to proceed: review the included scripts (they are present and readable), run them in an isolated environment, inspect the twikit package you install, and avoid running on a shared host. If you want safer usage, consider limiting the skill’s autonomous invocation or using a dedicated account and rotating credentials.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
𝕏 Clawdis
automationlatestsocialtwikittwitterx
IGN Software@ignsoftwarellc
Downloadx-cli
Full-featured X/Twitter toolkit for OpenClaw agents. Powered by twikit — no API keys required, cookie-based auth.
Setup
pip install -r scripts/requirements.txt
cp config.example.json config.json
# Set cookies_file path or credentials in config.json
Commands
Read (x_read.py)
python scripts/x_read.py tweet <url-or-id> # Read a tweet
python scripts/x_read.py user <username> --count 5 # User's tweets
python scripts/x_read.py timeline --count 20 # Home timeline (Following)
python scripts/x_read.py foryou --count 20 # For You timeline
python scripts/x_read.py thread <url-or-id> # Read thread
python scripts/x_read.py replies <url-or-id> --count 20 # Replies to a tweet
python scripts/x_read.py mentions --count 10 # Your mentions
python scripts/x_read.py highlights <username> # User's highlights
python scripts/x_read.py search-user "query" --count 10 # Search users
Search (x_search.py)
python scripts/x_search.py "query" --count 10
python scripts/x_search.py "from:zerohedge gold" --count 5
Post (x_post.py) — confirm with user first!
python scripts/x_post.py tweet "text" # Post tweet
python scripts/x_post.py tweet "text" --media ID1 ID2 # With media
python scripts/x_post.py tweet "text" --dry-run # Preview only
python scripts/x_post.py reply <id> "text" # Reply
python scripts/x_post.py quote <id> "text" # Quote tweet
Interact (x_interact.py)
python scripts/x_interact.py like <tweet> # Like
python scripts/x_interact.py unlike <tweet> # Unlike
python scripts/x_interact.py retweet <tweet> # Retweet
python scripts/x_interact.py unretweet <tweet> # Undo retweet
python scripts/x_interact.py bookmark <tweet> # Bookmark
python scripts/x_interact.py unbookmark <tweet> # Remove bookmark
python scripts/x_interact.py follow <username> # Follow
python scripts/x_interact.py unfollow <username> # Unfollow
python scripts/x_interact.py delete <tweet> # Delete tweet
python scripts/x_interact.py mute <username> # Mute
python scripts/x_interact.py unmute <username> # Unmute
python scripts/x_interact.py block <username> # Block
python scripts/x_interact.py unblock <username> # Unblock
DMs (x_dm.py)
python scripts/x_dm.py send <username> "message" # Send DM
python scripts/x_dm.py inbox --count 10 # Read inbox
Extra (x_extra.py)
python scripts/x_extra.py trends # Trending
python scripts/x_extra.py trends --category news # Category trends
python scripts/x_extra.py bookmarks --count 10 # List bookmarks
python scripts/x_extra.py notifications --count 10 # Notifications
python scripts/x_extra.py user-info <username> # User profile
python scripts/x_extra.py followers <username> --count 20 # Followers
python scripts/x_extra.py following <username> --count 20 # Following
python scripts/x_extra.py upload <filepath> # Upload media
python scripts/x_extra.py schedule <timestamp> "text" # Schedule tweet
python scripts/x_extra.py poll "A" "B" "C" --duration 1440 # Create poll
python scripts/x_extra.py list-create "name" --private # Create list
python scripts/x_extra.py list-add <list-id> <username> # Add to list
python scripts/x_extra.py list-remove <list-id> <username> # Remove from list
python scripts/x_extra.py list-tweets <list-id> --count 20 # List tweets
Auth (x_auth.py)
python scripts/x_auth.py check # Check auth status
python scripts/x_auth.py whoami # Current user
python scripts/x_auth.py login # Login (uses config.json)
Output
All commands: plain text by default, --json for structured JSON.
Media & Reply Context
- Tweets with images/videos include media URLs in output (
🖼️/🎥) - Replies include
↩️ Reply to:link to the original tweet - Agent can fetch media URLs with
web_fetchand analyze with vision
Proxy (optional)
Set "proxy": "http://user:pass@host:port" in config.json.
Comments
Loading comments...