← Back to Skills Marketplace

X Manager

Name: X Manager
Author: patches429

by Parker · GitHub ↗ · v0.1.0 · MIT-0

cross-platform ⚠ suspicious

337

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install x-manager

Description

Manage X (Twitter) accounts — post tweets, like, reply, retweet, view timeline, search, auto-interact, analyze data.

Usage Guidance

This skill appears to do what it says, but check these things before installing: 1) It expects per-user credential files in credentials/{USER_ID}.json — ensure you are comfortable storing API keys in that location and protect that directory. 2) The SKILL metadata lists TWITTER_* env vars but the scripts ignore them — decide whether you prefer env-based or file-based credentials and adjust accordingly. 3) The scripts use the 'requests' library and optionally a 'twitterv2' client but no install steps are provided; ensure your environment has those packages. 4) Verify the Twitter API tier and tokens you provide are appropriate (some endpoints require elevated privileges). 5) Note a stray string referencing storyclaw.com in an error message — benign by itself, but if you need external hosting or redirects, confirm the origin. If you want higher assurance, ask the author for a documented install/requirements file and clarify whether env vars or credential files are the intended auth mechanism.

Capability Analysis

Type: OpenClaw Skill Name: x-manager Version: 0.1.0 The skill provides legitimate Twitter management functionality but contains a path traversal vulnerability across all script files (e.g., scripts/post_tweet.py, scripts/get_timeline.py, scripts/search_tweets.py). The `user_id` command-line argument is used directly to construct file paths for loading credentials (e.g., `credentials/{user_id}.json`) without sanitization, which could allow an attacker to access or verify the existence of arbitrary JSON files on the system. While the code aligns with its stated purpose, this vulnerability represents a significant security flaw.

Capability Assessment

✓ Purpose & Capability

Name/description match the code and required credentials: the scripts implement posting, liking, replying, retweeting, timeline and search using Twitter API calls and per-user credentials.

ℹ Instruction Scope

SKILL.md and scripts confine actions to Twitter API calls and per-user credential files under credentials/{USER_ID}.json. Minor scope mismatches: SKILL.md lists env var usage as an alternative, but the scripts always load credentials from credentials/{USER_ID}.json (they do not read TWITTER_* env vars). No instructions attempt to read unrelated system files or exfiltrate data to external endpoints.

✓ Install Mechanism

Instruction-only skill with no install spec (no code downloaded at install time). Scripts import requests and optionally a 'twitterv2' library; the skill does not declare these Python deps, so the environment must already provide them. This is a usability/robustness omission, not an obvious security hazard.

ℹ Credentials

Declared required env vars are all Twitter-related and appropriate for the stated purpose. However, the code does not actually read those env vars and instead requires per-user credential files, so the metadata's required-env list is inconsistent with implementation — a minor coherence issue but not direct evidence of malicious intent.

✓ Persistence & Privilege

Skill is not always-enabled and is user-invocable; it does not request system-wide config changes or other skills' credentials. It stores/reads credentials in its own credentials/ directory as expected for a multi-user skill.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install x-manager
After installation, invoke the skill by name or use /x-manager
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.0

Initial release of x-manager. - Manage X (Twitter) accounts: post tweets, like, reply, retweet, view timeline, search, auto-interact, and analyze data. - Supports multi-user credentials with environment variable or JSON file binding. - Provides scripts for posting, engaging with tweets, and retrieving timelines or search results. - Auto-interaction workflow configurable per user. - Handles API rate limits, authentication errors, and tweet length issues. - Notes feature and limitation differences by Twitter API tier.

Metadata

Slug x-manager

Version 0.1.0

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is X Manager?

Manage X (Twitter) accounts — post tweets, like, reply, retweet, view timeline, search, auto-interact, analyze data. It is an AI Agent Skill for Claude Code / OpenClaw, with 337 downloads so far.

How do I install X Manager?

Run "/install x-manager" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is X Manager free?

Yes, X Manager is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does X Manager support?

X Manager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created X Manager?

It is built and maintained by Parker (@patches429); the current version is v0.1.0.

More Skills