← Back to Skills Marketplace
Twitter Listen Comment
by
yugulugulu
· GitHub ↗
· v0.1.2
· MIT-0
366
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install twitter-listen-comment
Description
Set up the skill as a reusable local automation package.
Usage Guidance
Before installing or running this skill: (1) recognize that the skill needs a Twitter bearer token (TWITTER_TOKEN) even though the registry metadata omitted it — do not provide your primary/high-privilege token; prefer a limited-scope or throwaway account. (2) The skill sends tweet text to https://ai.6551.io and to the OpenClaw agent CLI to generate/post replies — confirm you trust that service and understand where your data may be routed. (3) The skill requires a logged-in Chrome session and the OpenClaw Chrome Relay to post comments — this allows the skill to drive your browser while logged in, so run it only on systems/accounts you control. (4) Inspect references/config.json to ensure notifyTarget/agentTarget are set correctly (to a safe chat or account) and consider running initially with --once and in a sandbox or container. (5) If you need higher assurance, ask the publisher to correct the registry metadata to declare required env vars and review the ai.6551.io privacy/trust posture.
Capability Analysis
Type: OpenClaw Skill
Name: twitter-listen-comment
Version: 0.1.2
The skill is classified as suspicious due to a significant indirect prompt injection vulnerability in `scripts/twitter_listen_comment.py`, where unsanitized tweet content is directly embedded into prompts sent to the OpenClaw agent. This could allow a malicious tweet to hijack the agent's browser session and perform unauthorized actions. Additionally, the skill requires a `TWITTER_TOKEN` to be sent to a third-party, non-official API endpoint (`https://ai.6551.io/open/twitter_search`), which introduces a risk of credential exposure. While these behaviors are functional for the stated purpose of Twitter automation, the lack of input sanitization and reliance on external third-party infrastructure pose meaningful security risks.
Capability Assessment
Purpose & Capability
The name/description (monitor Twitter/X, generate replies, post via browser) match the included scripts and SKILL.md. However the registry metadata claims no required env vars while the README/SKILL.md and the code clearly require TWITTER_TOKEN (and optionally OPENCLAW_BIN and TWITTER_LISTEN_COMMENT_DATA_DIR). This metadata omission is an incoherence.
Instruction Scope
The SKILL.md instructions are specific: load config, require TWITTER_TOKEN, run the Python script or run.sh, keep Chrome logged in and Chrome Relay attached, and ensure openclaw CLI is available. The code follows those instructions and confines file I/O to a skill-local data directory (state.json, run.log). Behavior (poll users, generate reply via openclaw agent, send notices, post via browser tool) matches the documented scope.
Install Mechanism
There is no install spec (instruction-only with bundled scripts). Nothing is downloaded or installed automatically by the skill, so there is low installer risk. The included code will be executed locally when you run it.
Credentials
The skill requires a Twitter API bearer token (TWITTER_TOKEN) and invokes external services: POSTs to https://ai.6551.io/open/twitter_search and calls the local openclaw CLI which itself may perform network actions. The registry metadata failing to declare TWITTER_TOKEN (and optional envs) is a mismatch that reduces transparency. Sending tweet content to third-party services is functionally necessary here but increases data-exposure risk — ensure you trust those endpoints and the scope of the token you provide.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or global agent settings. It writes state and logs under its own data directory only. Autonomous invocation is allowed by default but that is platform normal.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install twitter-listen-comment - After installation, invoke the skill by name or use
/twitter-listen-comment - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.2
Retry publish after repo cleanup and packaging validation.
v0.1.1
Clean repo artifacts, add distributable skill structure, config template, and README.
v0.1.0
Initial release: monitor X usernames via 6551, generate humorous replies with OpenClaw agent, submit comments via logged-in Chrome session, and send detection/submission notifications.
Metadata
Frequently Asked Questions
What is Twitter Listen Comment?
Set up the skill as a reusable local automation package. It is an AI Agent Skill for Claude Code / OpenClaw, with 366 downloads so far.
How do I install Twitter Listen Comment?
Run "/install twitter-listen-comment" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Twitter Listen Comment free?
Yes, Twitter Listen Comment is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Twitter Listen Comment support?
Twitter Listen Comment is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Twitter Listen Comment?
It is built and maintained by yugulugulu (@yugulugulu); the current version is v0.1.2.
More Skills