← Back to Skills Marketplace
775
Downloads
0
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install tweet-cli
Description
Post tweets, replies, and quotes to X/Twitter using the official API v2. Use this instead of bird for posting. Uses API credits so only post when explicitly...
Usage Guidance
This skill appears coherent for posting to X/Twitter, but follow these precautions before installing or using it: (1) inspect the GitHub repo and package.json yourself (or run npm pack --dry-run) to confirm there are no postinstall scripts or unexpected telemetry; (2) prefer creating a dedicated API key/account with minimal permissions for automated posting; (3) store credentials in a secure secrets store if available rather than plaintext files (if you use ~/.config/tweet-cli/.env, keep chmod 600 as recommended); (4) be cautious about installing from a GitHub tag — verify the exact tag and review recent commits and releases; (5) ensure the agent asks the user to confirm every post (the SKILL.md instructs this) and do not allow speculative posting. If you want lower-risk verification, request the skill author publish a release tarball or an npm package on the official registry and provide a checksum for audit.
Capability Analysis
Type: OpenClaw Skill
Name: tweet-cli
Version: 1.0.0
The skill bundle is classified as suspicious due to its reliance on an external GitHub repository (`github:0xmythril/tweet-cli`) for installation via `npm install -g` as specified in `SKILL.md`. This introduces a supply chain risk, as the actual code being installed is not part of the bundle and its security claims (e.g., 'No postinstall scripts', 'No telemetry') cannot be verified from the provided files. While the `SKILL.md` includes strong prompt injection defenses for the AI agent (e.g., 'Do NOT post unless the user explicitly asks', 'Always confirm with the user') and good security practices for credential handling (`chmod 600`), the unverified external dependency during installation poses a significant risk.
Capability Assessment
Purpose & Capability
Name/description (post tweets via X API v2) aligns with required items: a tweet-cli binary and the four X API credentials are exactly what a posting CLI needs. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to install and run tweet-cli, create a per-user config file in ~/.config/tweet-cli/.env, and confirm with the user before posting. It does not instruct reading unrelated system files or exfiltrating data. The explicit rule to avoid speculative posting reduces risk.
Install Mechanism
Install guidance uses npm to install directly from a GitHub tag (npm install -g github:0xmythril/tweet-cli#v1.0.0). This is a common pattern but has more risk than installing a vetted package from a central registry because it pulls code from a repository. The registry metadata shows 'No install spec' while SKILL.md provides an install command — this is a small metadata inconsistency but not a security red flag by itself.
Credentials
The four required environment variables (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET) are the standard credentials needed to post via X's API. No other secrets or unrelated env vars are requested. The instructions store credentials in a user-scoped config file (~/.config/tweet-cli/.env) and recommend chmod 600, which is reasonable for a CLI.
Persistence & Privilege
The skill does not request always: true, does not modify system-wide or other-skill configuration, and its persistent footprint is limited to a per-user config file in the user's home directory. Agent autonomous invocation is allowed by default but not combined with other concerning privileges here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tweet-cli - After installation, invoke the skill by name or use
/tweet-cli - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Added a detailed Security section outlining credential handling, lack of telemetry, and dependency transparency.
- Updated installation instructions to recommend a version-pinned npm install command.
- Specified environment variables required in metadata for clearer configuration requirements.
- Improved credential setup steps: added `chmod 600` guidance for restricting access to `.env`.
- Clarified depedencies and absence of install scripts in the documentation.
v0.1.0
Initial release of tweet-cli for posting to X/Twitter via API v2
- Allows posting tweets, replies, and quotes using official API v2.
- Requires explicit user confirmation before posting, to manage limited monthly API credits.
- Provides easy setup instructions for API credentials and authentication.
- Includes commands for posting, replying, quoting, deleting tweets, and verifying authentication.
- Designed for posting only; directs users to use bird for reading or browsing tweets.
Metadata
Frequently Asked Questions
What is Tweet Cli?
Post tweets, replies, and quotes to X/Twitter using the official API v2. Use this instead of bird for posting. Uses API credits so only post when explicitly... It is an AI Agent Skill for Claude Code / OpenClaw, with 775 downloads so far.
How do I install Tweet Cli?
Run "/install tweet-cli" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Tweet Cli free?
Yes, Tweet Cli is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Tweet Cli support?
Tweet Cli is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Tweet Cli?
It is built and maintained by 0xmythril (@0xmythril); the current version is v1.0.0.
More Skills