← Back to Skills Marketplace
1039
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-social-post
Description
Post and reply to X/Twitter and Farcaster with text and images. Features multi-account support, dynamic Twitter tier detection (Basic/Premium), auto-variation to avoid duplicate content detection, draft preview, character validation, threads, replies, and image uploads. Consumption-based pricing for X API, pay-per-cast for Farcaster.
Usage Guidance
Do not run this skill with live credentials until these issues are resolved. Specific recommendations:
- Ask the author to remove hardcoded /home/phan_harry paths and use $HOME or relative paths so the skill accesses the current user's files only.
- Require and document all needed credentials explicitly (Farcaster custody and signer keys, FARCASTER_CUSTODY_ADDRESS, and any OPENCLAW_GPG_PASSPHRASE), or avoid reading unrelated host files.
- Declare all runtime binaries (node, npm, gpg) and Node package dependencies (e.g., @farcaster/hub-nodejs) or provide an install spec that installs them from known sources.
- Fix tier-detection so it does not attempt real POSTs as a detection method (use safe API endpoints or explicit capability calls that don't create posts), and make dry-run behavior reliable.
- Confirm presence or provide the missing TWITTER_POST_SCRIPT and farcaster-agent repo (or remove reliance on external skill repos).
- If you must test, run the skill in an isolated environment (throwaway account/container) and inspect network calls (outbound endpoints) and file accesses first. If you don't control or verify these fixes, treat the skill as risky because it may read host-specific secrets and could perform unintended posts or external network operations.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-social-post
Version: 1.5.0
The skill exhibits several vulnerabilities, primarily the use of the `source` command on `.env` files in `lib/farcaster.sh`, `lib/tier-detection.sh`, and `lib/twitter.sh`. This creates a shell injection risk if the `.env` file can be manipulated by an attacker. Additionally, `lib/twitter.sh` references an external script, `twitter-post.sh`, at an absolute path (`/home/phan_harry/.openclaw/workspace/scripts/twitter-post.sh`) which is not included in the bundle and is an undeclared dependency, posing a supply chain risk and functional flaw. While there is no clear evidence of intentional malicious behavior like data exfiltration to unauthorized endpoints or prompt injection attempts against the agent, these vulnerabilities are significant.
Capability Assessment
Purpose & Capability
The declared purpose is social posting to X (Twitter) and Farcaster, which matches the code. However the declared requirements (requires.env only lists X_* keys) omit the Farcaster private keys and custody data that the code actually needs. The code also expects a separate farcaster-agent repo and Node tooling (npm/node) which are not declared. Several scripts hardcode absolute paths under /home/phan_harry/.openclaw (env file, repo, cache), meaning the skill will try to access another user's files rather than the current user's HOME — this is inconsistent and unexpected for a general-purpose social-post skill.
Instruction Scope
SKILL.md instructs storing credentials under ~/.openclaw and using dry-run for testing, but the code: (1) sources /home/phan_harry/.openclaw/.env (absolute path) rather than respecting $HOME/tilde; (2) reads/writes a tier cache at /home/phan_harry/.openclaw/workspace/... and expects a farcaster-agent repo at /home/phan_harry/.openclaw/workspace/skills/farcaster-agent/repo; (3) uses GPG decryption and may read $HOME/.openclaw/.env.secrets.gpg; (4) uploads images to external hosts (catbox.moe, uguu.se) and shortens links via tinyurl — these are expected but should be explicit. Critically, tier detection's Python code attempts an authenticated POST to the API (/2/tweets) with a 281-char test payload to infer limits; that operation may create a real tweet (the code does not reliably perform a safe dry-run), contradicting the SKILL.md's promise that detection is a safe check.
Install Mechanism
No install spec is provided yet the code invokes Node/npm (npm run cast, inline node -e) and expects external Node modules and a farcaster-agent repo. Required binaries declared are bash, curl, jq, python3, shuf — but node/npm and gpg are used and not declared. Having no install step but depending on undeclared tooling and another skill's repo is an incoherent and risky design choice.
Credentials
The manifest requires only X_CONSUMER_KEY etc., but the code needs many additional secrets (FARCASTER custody/private keys, signer keys, FARCASTER_CUSTODY_ADDRESS, possibly OPENCLAW_GPG_PASSPHRASE). The SKILL.md and README instruct storing Farcaster credentials in ~/.openclaw/farcaster-credentials.json or in .env, but these are not listed in requires.env. The skill also supports multi-account prefixes (OXDASX_*) but that mapping is not fully documented in the manifest. Requesting and reading private keys and GPG secrets is necessary for Farcaster posting, but the omission from declared requirements and the hardcoded paths makes the requested secrets disproportionate and under-documented.
Persistence & Privilege
The skill writes a tier cache file (twitter-account-tiers.json) under /home/phan_harry/.openclaw/workspace/memory and may create/read other files in that hardcoded directory. While 'always' is false, the hardcoded file paths reference another user's home and another skill's repo; this gives the skill persistent read/write access to host-specific locations beyond its own isolated workspace. It does not appear to modify other skills' configurations directly, but it depends on and uses other-skill directories (farcaster-agent) which is a privilege/safety concern.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-social-post - After installation, invoke the skill by name or use
/openclaw-social-post - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.5.0
Twitter tier detection (Basic/Premium), interactive threading, Farcaster GPG fix, multi-account support, reply functionality, auto-variation
Metadata
Frequently Asked Questions
What is OpenClaw Social Post?
Post and reply to X/Twitter and Farcaster with text and images. Features multi-account support, dynamic Twitter tier detection (Basic/Premium), auto-variation to avoid duplicate content detection, draft preview, character validation, threads, replies, and image uploads. Consumption-based pricing for X API, pay-per-cast for Farcaster. It is an AI Agent Skill for Claude Code / OpenClaw, with 1039 downloads so far.
How do I install OpenClaw Social Post?
Run "/install openclaw-social-post" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw Social Post free?
Yes, OpenClaw Social Post is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenClaw Social Post support?
OpenClaw Social Post is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw Social Post?
It is built and maintained by TeeClaw (@teeclaw); the current version is v1.5.0.
More Skills