ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X/Twitter by altf1be

v1.1.3

Post tweets, threads, and media to X/Twitter via API v2 — secure OAuth 1.0a signing, minimal dependencies (commander + dotenv only).

1· 833·3 current·4 all-time
byAbdelkrim from Brussels@abdelkrim
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (post tweets/threads/media) matches the code and required environment variables (X_CONSUMER_KEY, X_CONSUMER_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET). No unrelated credentials or external services are requested.
Instruction Scope
SKILL.md only instructs installing dependencies and running the included CLI. The runtime instructions and the script operate only on user-provided content and the four OAuth env vars. Minor documentation mismatch: README mentions a 'Bearer Token' in prerequisites, but neither SKILL.md nor the code use a bearer token (the script uses OAuth 1.0a and v1.1 upload endpoints for media).
Install Mechanism
No install spec in registry (instruction-only), but SKILL.md/README instructs 'npm install' which will pull 'commander' and 'dotenv' from the npm registry. This is expected for a Node CLI but carries the usual moderate risk of fetching packages from npm; package-lock.json is included and shows concrete versions.
Credentials
Only the four OAuth secrets required are declared and used by the code; these are proportionate to posting tweets and uploading media. The skill does not request unrelated secrets or system credentials.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. It does not modify other skill configs or system-wide settings.
Assessment
This skill appears to do exactly what it claims: post tweets/threads and upload media using your X/Twitter OAuth keys. Before installing: (1) Verify you trust the skill source (GitHub link in metadata). (2) Keep the four OAuth secrets private (store in .env, do not commit). (3) Run npm install in an isolated environment if you are cautious — package-lock.json is present and shows only 'commander' and 'dotenv'. (4) Note the script will read media files you explicitly pass; it enforces path and extension checks (only under home/working-dir/tmp and common image/video extensions). (5) The README mentions a Bearer Token but the code does not use one — expect only OAuth consumer/access keys. Rotate keys if you later revoke access. If you want additional assurance, review the full scripts/xpost.mjs file before running and test with a throwaway/test account first.
scripts/xpost.mjs:28
Environment variable access combined with network send.
!
scripts/xpost.mjs:13
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f57thncn6yr0hzad0f3pezd831wcn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐦 Clawdis
EnvX_CONSUMER_KEY, X_CONSUMER_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET
Primary envX_CONSUMER_KEY

Comments