ClawHub

Monitor X posts

v1.0.0

Monitor specific X/Twitter accounts and surface noteworthy tweets on a configurable schedule. Filters for high-value content about technology and trends, excluding political rage bait. Use when user wants to manage their X account list, run a manual check, or update filtering criteria.

0· 1.3k·9 current·10 all-time
by@vmathur
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and SKILL.md implement the described purpose (fetching tweets, filtering, scheduling). However there's a clear path inconsistency: fetch-tweets.py reads credentials/handles from ~/.openclaw/workspace/x-monitor/, while the cron setup and schedule.json locations in SKILL.md use ~/.openclaw/workspace/skills/x-monitor/config/schedule.json. This mismatch means scheduled jobs may not find credentials/handles or the script may not read the intended schedule, which is an incoherent design choice.
!
Instruction Scope
Instructions are generally scoped to the skill's purpose (store bearer token, list handles, configure schedule, create cron jobs). But the SKILL.md asks the agent to create cron jobs that post 'agentTurn' payloads (i.e., schedule future autonomous agent actions). That grants the skill recurring autonomous execution via the platform scheduler — expected for a monitor but worth noting. Also several paths in the docs differ (see purpose_capability), which could cause the agent to read/write unexpected locations or fail silently.
Install Mechanism
No install spec; the skill is instruction + scripts. There are no remote downloads or obscure installers. The Python script uses requests and local JSON files; the bash script only prints cron expressions. This is low risk from an install mechanism perspective.
Credentials
The only credential the skill needs is the X bearer token, which the SKILL.md asks you to store in a local credentials.json. The registry metadata lists no required env vars — consistent with file-based credentials. Storing a bearer token in plaintext under your home directory is functional but a security/privacy risk (consider file permissions or using a secrets store). There are no other unrelated credentials requested.
Persistence & Privilege
always:false and normal autonomous invocation are set. The skill instructs creating cron jobs that schedule agentTurn payloads, giving it persistent, recurring execution capability. This is reasonable for a monitor but increases the blast radius if the skill behaved unexpectedly; ensure you understand/approve the scheduled payloads before enabling them.
What to consider before installing
This skill appears to implement X monitoring but has a few issues you should resolve before installing: (1) Fix the path inconsistency — SKILL.md and scripts use two different base paths (~/.openclaw/workspace/x-monitor vs ~/.openclaw/workspace/skills/x-monitor). Confirm where credentials, handles, schedule, and last-check files will live. (2) The skill stores your X bearer token in plaintext under your home directory; restrict file permissions (chmod 600), consider using a secrets manager or environment-secret instead, and rotate the token if shared. (3) The agent will create cron jobs that schedule future agentTurn runs — review exactly what the scheduled payloads do and ensure you want recurring autonomous checks. (4) Test a manual run ('check x now') and inspect outputs and logs before enabling the schedule. If you want higher assurance, ask the author to correct the path inconsistencies and to document where scheduled jobs will run and which account identity they use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97apxzg0gdb7wwhsc6e5e0s3980ymkg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments