← Back to Skills Marketplace
952
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install twitter-api
Description
Cookie-based Twitter/X automation toolkit (timeline, notifications, posting, follow ops) for OpenClaw agents.
Usage Guidance
This skill contains working code for cookie-based Twitter automation, but it also embeds suspicious artifacts: a default proxy URL with credentials (in twitter_api/config/settings.py), hardcoded auth_token/ct0 values in demo_langchain_tools.py, and a Bearer token in constants. These are red flags because they could (intentionally or accidentally) route your account traffic through a third-party proxy or expose live credentials. Before installing or running: 1) Do not paste real account cookies into .env until you audit and remove/change hardcoded proxies/credentials. 2) Inspect and remove or replace the DEFAULT_PROXY and any embedded tokens; treat any exposed tokens as compromised (rotate/reset them). 3) Run the code in an isolated environment (sandbox/container) and monitor outbound network connections to verify where traffic is sent. 4) Prefer using well-documented, official APIs and credentials rather than cookie re-use; if you must use this, require that the repository author/source is trusted. Because of the mismatches and embedded credentials, consider this skill suspicious and audit thoroughly (or avoid) unless you can validate the proxy owner and rotate any affected credentials.
Capability Analysis
Type: OpenClaw Skill
Name: twitter-api
Version: 1.0.0
The skill bundle is classified as suspicious due to critical vulnerabilities and high-risk capabilities. The most severe issue is the presence of hardcoded Twitter `AUTH_TOKEN` and `CT0` credentials in `twitter_api/demo_langchain_tools.py`, which represents a significant information leak. Additionally, `twitter_api/config/settings.py` contains a hardcoded proxy URL with credentials. While these are vulnerabilities (leaking the skill's own credentials) rather than direct malicious attacks against the user's system, they are severe security flaws. Furthermore, the `ProfileAPI` and `SubscriptionAPI` expose highly sensitive actions like `change_password`, `delete_phone`, and `create_subscription` (with `payment_method_id`), which, if misused by an AI agent (e.g., via prompt injection), could lead to account compromise or financial loss. A minor issue is the hardcoded local path `C:\Users\IFLW016\Desktop\GanClaw_Workspace\_shared\social_ops` in `scripts/analyze_signal.py`, which affects portability.
Capability Assessment
Purpose & Capability
Name/description match the code: this is a cookie-based Twitter/X client and automation scripts. However the registry metadata declares no required env vars while the code expects many GANCLAW_* account variables (e.g., GANCLAW_X_PRIMARY_AUTH_TOKEN, GANCLAW_X_PRIMARY_CT0) and uses .env files. That mismatch between declared requirements and actual needs is an incoherence: someone building a Twitter cookie client would legitimately need the cookie env vars, so those should be declared.
Instruction Scope
SKILL.md instructs pip install and to copy/fill a .env with auth_token + ct0 and to run scripts (timeline, post, follow). The code follows that, but also reads/writes a repo-level config.json (via twitter_api/config/settings.py) and has helper functions to load token files and save results. The README/instructions do not disclose that the package contains default proxy settings or embedded demo credentials present in code — these broaden behavior beyond the documented scope and pose risk.
Install Mechanism
No formal install spec in registry (instruction-only), SKILL.md relies on 'pip install -r requirements.txt' which is reasonable; requirements are small (aiohttp, tenacity, etc.). Because there is no packaged install step, code files will simply run from the repository. That reduces installer-supply-chain risk but means the provided source code must be trusted and audited before execution.
Credentials
The registry declares no required credentials, yet the code expects many environment vars for account cookies and proxy control. More critically, the repository contains hardcoded secrets: DEFAULT_CONFIG sets a DEFAULT proxy with embedded credentials (beeaVXlWtDSdzRin:[email protected]:1337), demo_langchain_tools.py contains an AUTH_TOKEN and CT0 literal, and constants include an authorization Bearer value. Hardcoded network/proxy credentials and example tokens are disproportionate and can enable traffic routing or token reuse/exfiltration if left unchanged.
Persistence & Privilege
always:false and the skill doesn't request platform-wide privileges. The code does write a config.json in the repository root and provides save_results helpers to write files — standard for a CLI library. However, because a default proxy with credentials exists in configuration, persistent use (e.g., running scripts repeatedly or by an autonomous agent) would cause repeated network traffic possibly routed through those credentials. Autonomous invocation alone is not flagged, but combined with hardcoded proxy credentials this increases blast radius.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install twitter-api - After installation, invoke the skill by name or use
/twitter-api - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release.
Full Twitter/X automation toolkit including:
• Async API client using auth_token + ct0 authentication
• Tweet creation, replies, engagement, and relationship actions
• Timeline + notifications ingestion and analysis workflows
• LangChain tool integration for agent-based usage
• CLI/helper scripts for monitoring, reporting, and posting
Designed for OpenClaw-based autonomous agents and research workflows.
Metadata
Frequently Asked Questions
What is Twitter API Integration (Web Reversed )?
Cookie-based Twitter/X automation toolkit (timeline, notifications, posting, follow ops) for OpenClaw agents. It is an AI Agent Skill for Claude Code / OpenClaw, with 952 downloads so far.
How do I install Twitter API Integration (Web Reversed )?
Run "/install twitter-api" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Twitter API Integration (Web Reversed ) free?
Yes, Twitter API Integration (Web Reversed ) is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Twitter API Integration (Web Reversed ) support?
Twitter API Integration (Web Reversed ) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Twitter API Integration (Web Reversed )?
It is built and maintained by GAN12003 (@gan12003); the current version is v1.0.0.
More Skills