X CDP Automation

Automate X (Twitter) via Chromium CDP: post tweets, reply, quote-retweet, publish articles. Uses real browser sessions with existing login, no API keys neede...

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 6 · 404 · 0 current installs · 0 all-time installs

byJason Chai@stwith

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

Name/description, SKILL.md, and the shipped scripts all implement browser-driven posting, replying, quote-retweeting and article publishing via Chromium CDP. No unrelated env vars, cloud credentials, or hidden network endpoints are requested — the required artifacts (Chromium, puppeteer-core, profile dirs) are proportionate to the claimed purpose.

ℹ

Instruction Scope

The instructions and scripts drive a real browser using an explicit user-data-dir profile and will use whatever logged-in X session is present. They read local files (images, body files), create profile directories under ~/chromium-profiles, save dry-run screenshots to /tmp, and may auto-run npm to install puppeteer-core. All of this is consistent with browser automation but implies access to session cookies and any data in that profile (so the tool can act as your account).

ℹ

Install Mechanism

There is no formal install spec, but setup.js will auto-install puppeteer-core using npm into /tmp/node_modules (execSync running npm). npm installs from the public registry (moderate, traceable risk). This is expected for Node-based automation, but auto-installing at runtime into /tmp and modifying module.paths increases the attack surface if /tmp is untrusted or the registry/package were compromised.

✓

Credentials

The skill asks for no environment variables or external credentials. It does rely on local Chromium profiles and existing logged-in sessions (which implicitly grant access to your X account). That behavior is proportional to the stated goal but is sensitive — the scripts can use cookie/session state to post as the user.

✓

Persistence & Privilege

always: false and no system-wide modifications are requested. The skill will create profile directories (~ /chromium-profiles) and write to /tmp, and it launches Chromium with a user-data-dir. It does not change other skills or global agent config. These are reasonable for browser automation but are persistent on disk.

Assessment

What to consider before installing/using this skill: - Review the scripts locally before running. The tool will operate the browser using your profile, so it can act with whatever X session (cookies/tokens) is present. - Prefer creating and using an isolated Chromium profile (not your main profile) via the --profile and --port flags to avoid exposing other sessions or data. - Run with --dry-run first to verify behavior; dry-run saves a screenshot under /tmp so you can confirm the composed content won't be posted. - The setup auto-installs puppeteer-core into /tmp via npm. Consider installing puppeteer-core yourself (verify version) and setting NODE_PATH instead of letting the script auto-install. - Because the script spawns Chromium with a user-data-dir, any attacker or misused script could post as you — only run this on machines you control and avoid using your primary account if you want extra safety. - If you want stronger isolation, run this inside a disposable VM or container and/or inspect /tmp/node_modules after installation to ensure no unexpected packages were installed. - Limit agent autonomy: require explicit user confirmation before posting (the SKILL.md describes an approval step — keep that in place). Do not grant blanket autonomous invocation to the agent without oversight. - If unsure, test on a secondary or throwaway X account first.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

automationvk97c1wqcx409fb73qqagk2cft181x1h5cdpvk97c1wqcx409fb73qqagk2cft181x1h5chromiumvk97c1wqcx409fb73qqagk2cft181x1h5latestvk97c1wqcx409fb73qqagk2cft181x1h5puppeteervk97c1wqcx409fb73qqagk2cft181x1h5twittervk97c1wqcx409fb73qqagk2cft181x1h5xvk97c1wqcx409fb73qqagk2cft181x1h5

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

X CDP Skill — Browser Automation for X (Twitter)

First-Time Setup

Run the setup wizard. It checks everything and auto-fixes what it can:

node scripts/setup.js [--port 18802] [--profile ~/chromium-profiles/x-cdp]

The wizard does 4 things:

Finds Chromium/Chrome on your system (or tells you how to install it)
Checks puppeteer-core (auto-installs to /tmp/node_modules if missing)
Launches Chromium with CDP enabled on the specified port
Verifies X login (tells you to log in manually if needed)

Manual setup (if you prefer)

Install Chromium (recommended over Chrome for version stability):

# macOS
brew install --cask chromium

# Linux
sudo apt install chromium-browser

Install puppeteer-core:

cd /tmp && npm init -y && npm install puppeteer-core

Launch Chromium with CDP:

chromium --remote-debugging-port=18802 --user-data-dir=~/chromium-profiles/x-cdp --no-first-run

Log in to X: Open x.com in the Chromium window and log in once. The session persists in the profile directory.

Why Chromium, not Chrome?

Chrome auto-updates silently. One update can change DOM selectors and break all automation overnight. Chromium lets you pin a known-good version. That said, Chrome works fine too if you don't mind occasional breakage.

Architecture

All scripts connect to a running Chromium instance via CDP (Chrome DevTools Protocol). This is not API-based. It drives the real browser UI, identical to a human clicking.

Multi-account isolation

Each X account gets its own Chromium instance with a separate port and profile:

Port 18800, profile chromium-profiles/main: @your_main_account
Port 18801, profile chromium-profiles/second: @your_second_account
Port 18802, profile chromium-profiles/third: @your_third_account

Launch multiple instances for multi-account use. All scripts accept --port to target a specific account.

Commands

Post a tweet

NODE_PATH=/tmp/node_modules node scripts/post-tweet.js "Hello world" [--image /path/to/img.png] [--port 18802] [--dry-run]

Reply to a tweet

NODE_PATH=/tmp/node_modules node scripts/reply-tweet.js <tweet_url> "Nice post!" [--image /path/to/img.png] [--port 18802] [--dry-run]

Quote retweet

NODE_PATH=/tmp/node_modules node scripts/quote-tweet.js <tweet_url> "My thoughts" [--port 18802] [--dry-run]

Publish an article (X Premium)

NODE_PATH=/tmp/node_modules node scripts/post-article.js --title "Title" --body "Body text" [--body-file /path/to/content.md] [--cover /path/to/cover.jpg] [--port 18800] [--dry-run]

All scripts support --dry-run to fill content without sending. A screenshot is saved to /tmp/.

Agent Integration

When the user asks to interact with X:

Pre-flight check

Before running any script, verify the environment:

Check if Chromium is running on the target port: curl -s http://localhost:<port>/json/version
If not running, run node scripts/setup.js --port <port> to launch and configure
If setup fails, report the specific step that failed

Compose flow

User provides intent (e.g., "reply to this tweet saying thanks")
Agent drafts the text, shows it to user for approval
On confirmation, run the script via exec
Report success/failure

Error recovery

If a script fails with "not found" errors, X may have changed its DOM. Check and update:

references/selectors.md for the latest selectors
scripts/lib/cdp-utils.js SELECTORS object

Risk Notes

Rate limiting: Space out actions. No more than ~10 tweets/hour.
Detection: CDP automation looks like real browser usage. Much harder to detect than API abuse.
Account safety: Human-like delays are built into all scripts. Avoid bulk operations.
vs API tools (bird etc.): API wrappers get DMCA'd or break on API changes. CDP works as long as the website works.

Files

9 total

Select a file

Select a file to preview.

Comments

Loading comments…