ClawHub

X Publisher

Post tweets, threads, replies, and quote-tweets to X (Twitter) via API v2 with OAuth 1.0a.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 14 · 0 current installs · 0 all-time installs
bypbopps@3rdbrain
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and required environment variables (X API key/secret and access token/secret). The included x-api.js implements posting, threading, replies, quote-tweets, likes, deletes, and timeline reads against api.twitter.com/2 using OAuth 1.0a — these require the declared credentials and are proportionate to the stated purpose.
Instruction Scope
SKILL.md directs running the bundled Node script at /root/.openclaw/skills/x-api/x-api.js and warns against using other tools. That is unusual but not inherently malicious. One inconsistency: SKILL.md documents scheduling commands (schedule, schedule-thread) and says posts are 'saved to queue, posted by cron', but the provided x-api.js contains no scheduling/queue/cron implementation. Otherwise the runtime instructions primarily call the included script and do not request unrelated files or system data.
Install Mechanism
No install spec; the skill is instruction-plus-code only. No downloads from external URLs or package installs are present. The single JavaScript file has a clear purpose and no obfuscated or unusual install actions.
Credentials
Only four environment variables are required and they are precisely the OAuth 1.0a consumer key/secret and access token/secret needed to act as the user account. No unrelated credentials, config paths, or broad secrets are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It will run the bundled script which has normal network access to Twitter APIs; autonomous invocation is allowed by default (not flagged on its own).
Assessment
This skill appears to do what it says: it will use the four X/Twitter credentials you provide to act as that account and post/read tweets. Before installing: (1) Only supply credentials for an account you control and are comfortable automating — the script can post, like, and delete as that user. (2) Review the included x-api.js yourself or with someone you trust; there is no hidden outbound host other than api.twitter.com and no obfuscated code, but the script will have network access while it runs. (3) Note the SKILL.md mentions scheduling/cron support, but the code does not implement scheduling — treat that documentation as inaccurate. (4) The skill's source is unknown/third-party; if you do not trust the publisher, create and use a throwaway/test X account or rotate keys after testing. (5) Ensure Node >=18 is available in your environment as required by package.json.
x-api.js:39
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9740ezqqzftybq3jzdbp6m47h83agwq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvX_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_SECRET

SKILL.md

X (Twitter) API Skill

CRITICAL: Read This First

You control the X (Twitter) account using the script at /root/.openclaw/skills/x-api/x-api.js.

There is NO twitter command, NO Python, NO pip in this container. Do NOT search for other tools. Do NOT try to use curl with OAuth headers. Do NOT try to install anything.

The ONLY way to post tweets is:

node /root/.openclaw/skills/x-api/x-api.js post "Your tweet text here"

This script handles ALL OAuth 1.0a signing automatically using your configured API keys. Just run it.

Commands

Post a tweet:

node /root/.openclaw/skills/x-api/x-api.js post "Hello world! This is my first tweet."

Post a thread (multiple connected tweets):

node /root/.openclaw/skills/x-api/x-api.js thread "First tweet of thread" "Second tweet continues..." "Third tweet wraps up"

Reply to a tweet:

node /root/.openclaw/skills/x-api/x-api.js reply 1234567890 "This is my reply"

Quote-tweet:

node /root/.openclaw/skills/x-api/x-api.js quote 1234567890 "Interesting take!"

Like a tweet:

node /root/.openclaw/skills/x-api/x-api.js like 1234567890

Delete a tweet:

node /root/.openclaw/skills/x-api/x-api.js delete 1234567890

Check your recent tweets:

node /root/.openclaw/skills/x-api/x-api.js timeline 10

Schedule a tweet for later (saved to queue, posted by cron):

node /root/.openclaw/skills/x-api/x-api.js schedule "Good morning!" "2026-02-22T09:00:00Z"

Schedule a thread for later:

node /root/.openclaw/skills/x-api/x-api.js schedule-thread "Tweet 1" "Tweet 2" "2026-02-22T09:00:00Z"

How It Works

  • The script uses Node.js built-in crypto module — zero dependencies
  • OAuth 1.0a HMAC-SHA1 signing is done automatically
  • API credentials are read from environment variables
  • Output is JSON with { success: true/false, data: {...}, summary: "..." }

Important Rules

  1. Always use node /root/.openclaw/skills/x-api/x-api.js — this is your Twitter tool
  2. Never try pip install, python, curl with OAuth, or any other method
  3. Tweet text max 280 characters
  4. Thread max 25 tweets
  5. The script returns JSON — check the success field to confirm it worked

Environment Variables

  • X_API_KEY — X API key (OAuth 1.0a consumer key)
  • X_API_SECRET — X API secret
  • X_ACCESS_TOKEN — Access token
  • X_ACCESS_SECRET — Access token secret

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…