← Back to Skills Marketplace
Twitter Autopilot
by
persnola1-sketch
· GitHub ↗
· v1.3.1
668
Downloads
0
Stars
1
Active Installs
5
Versions
Install in OpenClaw
/install twitter-autopilot
Description
Automate Twitter/X posting, engagement, and growth for OpenClaw AI agents. Use when setting up an agent's Twitter presence, posting tweets, running engagemen...
Usage Guidance
This skill appears to do what it says (automate Twitter/X posting) and includes a usable Python script, but pay attention to these points before installing:
- Metadata mismatch: The registry claims no required env vars, yet SKILL.md and the script require sensitive Twitter credentials (API key/secret and access token/secret, optional bearer token). Treat that as a red flag — the platform's permission UI may not surface these needs.
- Real-world effects: If you supply live account credentials and allow autonomous invocation, the agent can post, follow, unfollow, delete, and otherwise act on your public account. Run in DRAFT mode or use a separate test account until you trust it.
- Secrets handling: Only provide keys you are willing to revoke. Prefer a dedicated API key/token pair with minimal permissions. Rotate tokens after testing. Do not use credentials tied to a high-value or organizational account.
- Review and limit autonomy: If possible, require human approval (MODE.md DRAFT) for initial posts, or disable autonomous cron jobs. Audit logs in twitter/posted-log.md regularly.
- Code review: The included script looks straightforward and contains no obvious remote exfiltration or obfuscated endpoints, but confirm that log paths and files are acceptable for your environment and that you are comfortable with the script writing to disk.
If you want to proceed: update the registry metadata to declare the required environment variables (so reviewers and automated gates can surface them), test against a disposable/test account, and enforce draft approval until behavior is verified.
Capability Analysis
Type: OpenClaw Skill
Name: twitter-autopilot
Version: 1.3.1
The skill is classified as suspicious due to a local file inclusion/arbitrary file read/write vulnerability in `scripts/tweet.py`. Specifically, the `queue`, `mode`, and `check-dupe` commands can accept arbitrary file paths as arguments, allowing an attacker or a misconfigured AI agent to read or write files outside the intended `twitter/` directory (e.g., `python tweet.py queue /etc/passwd`). While the `SKILL.md` documentation does not instruct the agent to exploit this, the underlying code lacks input validation for these paths, presenting a clear security risk without evidence of intentional malicious design.
Capability Assessment
Purpose & Capability
The SKILL.md and scripts/tweet.py both implement Twitter/X posting, follows, replies, threads, and local draft/log management — behavior consistent with the description. However, the registry metadata reports no required environment variables or primary credential while SKILL.md (and the code) require multiple Twitter OAuth credentials; this metadata mismatch is an incoherence that affects permission review and automated gating.
Instruction Scope
The runtime instructions and the included script stick to the described scope: they use tweepy, require Twitter credentials, post tweets, follow/unfollow, and read/write files under a twitter/ directory (MODE.md, queue.md, drafts, posted-log.md, logs/). The skill does perform actions with real-world effects (posting, following) and instructs cron/autonomous operation, which raises operational risk but is within the stated purpose.
Install Mechanism
This is an instruction-only skill with a bundled Python script; there is no install spec or remote download. The only dependency is pip-installable 'tweepy' as documented. No external or obscure install URLs are used.
Credentials
The skill requires multiple sensitive environment variables (TWITTER_API_KEY, TWITTER_API_SECRET, TWITTER_ACCESS_TOKEN, TWITTER_ACCESS_SECRET, optional TWITTER_BEARER_TOKEN) which are appropriate for Twitter integration, but the registry metadata does not declare them (no primaryEnv and 'required env vars: none'). That mismatch is a security/process concern: automated systems or reviewers won't know the skill needs credentials, and users may supply secrets without realizing the skill will use them to perform public actions. Also, because follow/read operations use the bearer token, missing/incorrect env handling could cause crashes or unexpected behavior.
Persistence & Privilege
The skill is not set to always:true and does not request system-wide changes; it only reads/writes its own twitter/ files. Autonomous invocation is allowed (default), which is expected for an automation skill — but combined with the ability to post and follow using real account credentials, autonomous execution increases blast radius and should be controlled (e.g., draft mode, human approval, or run with a separate test account).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install twitter-autopilot - After installation, invoke the skill by name or use
/twitter-autopilot - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.3.1
No feature/code changes. Documentation update only.
- Updated and/or expanded content in `references/content-strategy.md`.
v1.3.0
Version 1.3.0
- Added `references/content-strategy.md`, providing a comprehensive tweet writing playbook.
- Updated SKILL.md to reference the new content strategy guide, including details on X algorithm insights, hook formulas, thread templates, and growth tactics.
- Clarified strategy section and improved guidance on tweet writing and content planning.
v1.2.0
twitter-autopilot 1.2.0
- Updated `scripts/tweet.py` (details not specified—refer to the file for specific changes).
- No changes to documentation or workflow instructions.
- Existing features, commands, and usage remain the same.
v1.1.0
- Added a new "Requirements & Scope" section detailing required environment variables, file dependencies, and operational scope.
- Expanded documentation on file usage, including draft, log, and queue files.
- Updated draft workflow and best practices with additional operational tips and recommendations.
- Provided new best practices and practical lessons, including duplicate checks and improved logging instructions.
v1.0.0
Initial release: post, thread, reply, quote, retweet, follow, unfollow, mentions, draft workflow, strategy templates
Metadata
Frequently Asked Questions
What is Twitter Autopilot?
Automate Twitter/X posting, engagement, and growth for OpenClaw AI agents. Use when setting up an agent's Twitter presence, posting tweets, running engagemen... It is an AI Agent Skill for Claude Code / OpenClaw, with 668 downloads so far.
How do I install Twitter Autopilot?
Run "/install twitter-autopilot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Twitter Autopilot free?
Yes, Twitter Autopilot is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Twitter Autopilot support?
Twitter Autopilot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Twitter Autopilot?
It is built and maintained by persnola1-sketch (@persnola1-sketch); the current version is v1.3.1.
More Skills