← Back to Skills Marketplace
nissan

Tweet Pipeline

by Nissan Dookeran · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
350
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install tweet-pipeline
Description
Notion-to-Twitter automation — pull approved tweets from a Notion database, schedule one-shot crons for exact post times, and post via X/Twitter OAuth2 API....
Usage Guidance
This skill is not outright malicious, but it is inconsistent and requires careful review before use. Key concerns: (1) The scripts do not use the declared NOTION_API_KEY env var — they invoke the 1Password CLI (op) and read a local service token file to pull the Notion key from 1Password; (2) Twitter credentials are read from a local file (~/.xurl), not from declared env vars; (3) the scripts call hardcoded user-specific binaries and paths (a specific python in /Users/loki, /opt/homebrew node, ~/.npm-global/bin/openclaw) that may not exist and reveal assumptions about the developer's machine; (4) there is subprocess usage of 'op' and 'openclaw cron add' which will access your password manager and schedule jobs on your system. Recommended actions before installing or running: - Ask the author to explain why NOTION_API_KEY is declared but not used, and to list all required binaries (op, node, openclaw CLI). - Inspect and/or sanitize ~/.xurl and remove sensitive credentials, or modify scripts to accept Twitter creds via environment variables instead of reading a local file. - Replace hardcoded paths with configurable values or relative paths. - Run the scripts in a controlled sandbox or test account first (dry-run mode is provided). - Ensure you are comfortable granting the skill access to your 1Password service account token and to schedule crons on your machine; if not, do not run it. - Because the refresh logic contains buggy/undefined variables, review and fix that function before trusting automatic token refresh or credential writes.
Capability Analysis
Type: OpenClaw Skill Name: tweet-pipeline Version: 1.0.0 The skill contains hardcoded absolute paths to a specific user's home directory (/Users/loki/) and attempts to read sensitive credentials from the host filesystem, specifically ~/.xurl and ~/.config/openclaw/.op-service-token. It relies on the 1Password CLI (op) to fetch secrets, which is a high-privilege operation. While these behaviors appear intended for a specific personal automation setup, the hardcoded environment dependencies and the practice of accessing sensitive files outside the workspace are risky. Additionally, scripts/tweet_post_one.py contains broken logic with undefined variables (refresh, user, xurl_path) in its token refresh function.
Capability Assessment
Purpose & Capability
The skill description says it reads Notion and posts to X/Twitter and declares NOTION_API_KEY as the primary credential. However, both scripts do not use an environment NOTION_API_KEY; instead they call the 1Password CLI ('op') and read ~/.config/openclaw/.op-service-token plus op:// paths to retrieve the Notion key. They also read a local YAML file (~/.xurl) for Twitter OAuth1 credentials. The code expects other local tools/paths (op, node, openclaw CLI, specific python path and home-directory paths) that are not declared in the metadata.
Instruction Scope
SKILL.md describes polling Notion and scheduling crons, which matches high-level behavior, but the runtime instructions in the scripts go beyond that: they read local config and secret files, execute the 1Password CLI via subprocess, schedule crons by calling a hardcoded node+openclaw binary, and write a state file under ~/.openclaw. The poster script also contains a token-refresh function that references undefined variables and may attempt to read/write local credential files. The instructions therefore access filesystem and credential sources not described in the skill metadata.
Install Mechanism
There is no install spec (instruction-only), so nothing will be downloaded at install. That lowers install-time risk, but the scripts call external binaries (op, node, openclaw, a specific python under /Users/loki/.pyenv) that are assumed to exist. The skill metadata only required python3; it does not declare 'op' or the openclaw/node binaries it will invoke.
Credentials
The declared required env vars list only NOTION_API_KEY, yet the code ignores that env var and instead requires access to other secrets: a local service-account token file (~/.config/openclaw/.op-service-token) used with the 1Password CLI and a local YAML (~/.xurl) containing Twitter consumer/access tokens. These undeclared secrets and file reads are disproportionate to the declared requirement and are security-relevant.
Persistence & Privilege
always:false and the skill writes only its own state file (~/.openclaw/workspace/memory/scheduled-tweets.json) and schedules one-shot crons via the openclaw CLI. It does modify Notion pages (updating Status/Posted At), which is expected for a poster. It does not declare 'always:true' or modify other skills, but cron scheduling and reliance on local CLI tools means it creates persistent scheduled work on the host if run.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install tweet-pipeline
  3. After installation, invoke the skill by name or use /tweet-pipeline
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — Notion-to-Twitter automation. - Pulls approved tweets from a Notion database. - Schedules one-shot cron jobs for precise posting times. - Posts to X/Twitter via OAuth2 API. - Tracks tweet status to prevent duplicates. - Designed for managing and automating social content calendars using Notion.
Metadata
Slug tweet-pipeline
Version 1.0.0
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Tweet Pipeline?

Notion-to-Twitter automation — pull approved tweets from a Notion database, schedule one-shot crons for exact post times, and post via X/Twitter OAuth2 API.... It is an AI Agent Skill for Claude Code / OpenClaw, with 350 downloads so far.

How do I install Tweet Pipeline?

Run "/install tweet-pipeline" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Tweet Pipeline free?

Yes, Tweet Pipeline is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Tweet Pipeline support?

Tweet Pipeline is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Tweet Pipeline?

It is built and maintained by Nissan Dookeran (@nissan); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments