← Back to Skills Marketplace

OpenClaw X

Name: OpenClaw X
Author: bosshuman

by bosshuman · GitHub ↗ · v0.2.2

cross-platform ⚠ suspicious

583

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install openclaw-x

Description

Control your X/Twitter account — view timeline, search tweets, post, like, retweet, bookmark.

Usage Guidance

This skill asks you to download and run an unsigned third-party executable and to export your X/Twitter session cookies—doing so hands that binary the ability to act as your account. Before installing: (1) prefer official OAuth/API-key based integrations over exporting cookies; (2) if you must use this, review the executable’s source code or use builds from a verified maintainer and verify checksums/signatures; (3) run the binary in an isolated environment (VM/container) and not on your primary machine; (4) treat cookies.json like a password—store it securely and delete/revoke the session after use; (5) consider alternatives or ask the author for a signed release and clear privacy/security documentation. The static scanner had no files to analyze (instruction-only), so the highest-risk surface here is the external binary and the exported browser cookies.

Capability Analysis

Type: OpenClaw Skill Name: openclaw-x Version: 0.2.2 The skill bundle is suspicious because it requires the user to download and execute an external, unvetted binary from GitHub (`https://github.com/bosshuman/openclaw-x/releases`). Crucially, it then instructs the user to export their sensitive X/Twitter authentication cookies (`cookies.json`) and provide them to this external executable. This introduces a significant supply chain risk, as the security of the user's X account depends entirely on the trustworthiness of an opaque, external binary whose code is not part of this review. While the `SKILL.md` itself does not contain malicious code or prompt injection attempts, the described setup creates a critical vulnerability for data exfiltration or unauthorized account access if the external binary is compromised or malicious.

Capability Assessment

ℹ Purpose & Capability

Name/description match the instructions: the skill uses a local service that drives X using browser session cookies. Asking for a local helper that uses cookies to control an account is coherent with the stated purpose.

⚠ Instruction Scope

The runtime instructions tell the user to export X cookies from Chrome into cookies.json and run a third‑party executable that listens on localhost. That requires handing full session credentials to a binary and does not include guidance for protecting or verifying those credentials. The SKILL.md also instructs running an arbitrary local service without integrity checks.

⚠ Install Mechanism

No formal install spec is provided, but the guide instructs downloading an executable from a GitHub Releases page and running it. There are no checksums, signatures, or instructions to verify the binary or inspect its source—this is a high-risk operation (running an opaque binary with account cookies).

ℹ Credentials

No env vars or config paths are declared, which is consistent with an approach that uses browser cookies. However, the requirement to export cookies.json is effectively requesting highly sensitive session credentials (equivalent to full access tokens). This is proportionate to the task technically, but the SKILL.md does not provide any safeguards or alternative (OAuth/API-key) options.

✓ Persistence & Privilege

The skill does not request always: true or system-wide config changes; it is user-invocable and does not declare persistent privileges over other skills or agent settings.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install openclaw-x
After installation, invoke the skill by name or use /openclaw-x
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.2.2

Switch skill description to English

v0.2.1

- Added instructions for downloading platform-specific executables from GitHub Releases. - Updated setup steps: now requires exporting X cookies from Chrome and saving as `cookies.json` in the executable's directory. - Removed instructions referring to `python main.py`; users now start the service with the provided executable. - Documentation (README and SKILL.md) revised and clarified setup process for improved usability.

v0.2.0

- Added multilingual documentation: English, Japanese, and Korean versions of README and SKILL files. - Updated setup instructions for starting the openclaw-x service (now includes Python entrypoint). - Removed version field from SKILL.md. - General documentation improvements and reorganization.

v0.1.1

修复 Cookie 登录、时间线加载崩溃和用户信息显示异常

Metadata

Slug openclaw-x

Version 0.2.2

License —

All-time Installs 0

Active Installs 0

Total Versions 4

Frequently Asked Questions

What is OpenClaw X?

Control your X/Twitter account — view timeline, search tweets, post, like, retweet, bookmark. It is an AI Agent Skill for Claude Code / OpenClaw, with 583 downloads so far.

How do I install OpenClaw X?

Run "/install openclaw-x" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is OpenClaw X free?

Yes, OpenClaw X is completely free (open-source). You can download, install and use it at no cost.

Which platforms does OpenClaw X support?

OpenClaw X is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created OpenClaw X?

It is built and maintained by bosshuman (@bosshuman); the current version is v0.2.2.

More Skills