ClawHub

Clawbird

v1.0.3

X/Twitter integration — post, reply, search, like, follow, DMs, and mentions via the official X API v2

0· 696·1 current·1 all-time
by@xonder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (X/Twitter integration) match the declared env vars (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_SECRET) and the npm package @xonder/clawbird. The requested credentials are exactly what an OAuth 1.0a X client needs.
Instruction Scope
SKILL.md confines network traffic to the official X API and documents only writing a single session-scoped log file (clawbird-interactions.jsonl) to the working directory for mutation deduplication. This is within scope, but the doc also claims 'data is not stored' while explicitly stating it writes that interaction log — a small inconsistency to clarify (what exactly is logged).
Install Mechanism
Install is via npm (@xonder/clawbird), which is consistent with the 'npm-distributed skill' claim. Installing a third‑party global npm package is expected here but carries normal supply‑chain risk (install scripts, transitive dependencies). The SKILL.md sensibly recommends pinning and auditing the package.
Credentials
Declared env vars (OAuth key/secret and access token/secret) are appropriate. The doc mentions an optional X_BEARER_TOKEN fallback but that variable is not listed in requires.env — a minor mismatch worth correcting. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true and does not ask for system-wide config changes. It will create a session-scoped interaction log in the working directory; this is a modest persistence request tied to avoiding duplicate actions. The skill exposes write-capable tools (tweet, like, follow, DM) — the doc correctly recommends requiring confirmations for autonomous write actions.
Assessment
This skill looks internally consistent for an X/Twitter integration, but take these precautions before installing: - Audit or review the npm package source (https://github.com/xonder/clawbird and the npm page) before running npm i. Prefer installing a pinned version (e.g., npm i -g @xonder/clawbird@1.1.0). - Limit the credentials you provide: when you only need read-only access, use a Bearer Token with read scope rather than full OAuth write tokens. Create and use dedicated developer keys for the agent rather than your primary account keys. - Be aware the skill will write a local file clawbird-interactions.jsonl in the working directory; review its contents and permissions if that matters for privacy. - If you allow autonomous agent use, require explicit confirmation for any write actions (posting, liking, following, sending DMs) via agent tool policies. - Consider running npm audit and inspecting install scripts for the package before global install. If you are not comfortable auditing, avoid granting the OAuth tokens. If you want greater assurance, provide the registry maintainers' provenance (signed releases, pinned checksum) or test the package in an isolated environment (container) first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dwwpty98jrdpm3hmhbazf5x816mcp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐦 Clawdis
EnvX_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_SECRET
Primary envX_API_KEY

Install

Install clawbird plugin (npm)npm i -g @xonder/clawbird

Comments