← Back to Skills Marketplace
3651
Downloads
5
Stars
17
Active Installs
1
Versions
Install in OpenClaw
/install twitter-post
Description
Post tweets to Twitter/X via the official API v2 (OAuth 1.0a). Use when the user asks to tweet, post to Twitter/X, send a thread, reply to a tweet, or quote...
Usage Guidance
This skill's code implements posting to Twitter/X and legitimately needs four OAuth credentials (consumer key/secret and access token/secret). However, the registry metadata incorrectly shows no required credentials — treat that as a red flag. Before installing: (1) verify you obtained the credentials from developer.x.com and understand where you'll store them; prefer per-skill secret storage rather than plain shell profiles; (2) create a dedicated Twitter app / tokens with least privilege (Read+Write only for this app) and use tokens you can revoke/rotate; (3) inspect scripts/tweet.js (it posts only to api.twitter.com and supports an optional HTTPS_PROXY) and run with TWITTER_DRY_RUN=1 first to check behavior; (4) confirm OpenClaw's secret storage protections (who/what can read instance config) because storing OAuth tokens in instance config can expose them to other skills or admins; (5) ask the publisher to correct the registry metadata to declare the required env vars/primary credential and provide a homepage or source provenance. If you cannot verify provenance or the secret-storage protections, treat installation as higher risk and consider alternatives (official integrations or verified plugins).
Capability Analysis
Type: OpenClaw Skill
Name: twitter-post
Version: 1.0.0
The skill bundle is benign. It provides a legitimate function to post tweets to Twitter/X via the official API v2. Credentials are handled securely via environment variables, and the `SKILL.md` explicitly warns against hardcoding them. The `tweet.js` script correctly implements OAuth 1.0a, handles tweet content validation, and directs all network traffic to `api.twitter.com`. There is no evidence of data exfiltration, unauthorized command execution, persistence mechanisms, or malicious prompt injection instructions against the agent.
Capability Assessment
Purpose & Capability
The name/description, SKILL.md, and scripts/tweet.js all align: the code posts tweets via Twitter API v2 using OAuth 1.0a. However, the registry metadata lists no required environment variables or primary credential, while both SKILL.md and scripts/tweet.js require four sensitive OAuth env vars (TWITTER_CONSUMER_KEY, TWITTER_CONSUMER_SECRET, TWITTER_ACCESS_TOKEN, TWITTER_ACCESS_TOKEN_SECRET). This mismatch between declared requirements and actual required credentials is incoherent and should be resolved.
Instruction Scope
SKILL.md instructs the agent to execute scripts/tweet.js via exec and to rely on the four OAuth env vars; those instructions are within the stated purpose (posting tweets). But the instructions access environment variables that are not declared in the registry metadata (see above). SKILL.md also suggests storing credentials in the OpenClaw instance config or shell profile — guidance that has security implications but stays within tweeting scope. There are no instructions to read unrelated files or exfiltrate data to unexpected endpoints.
Install Mechanism
There is no install spec that downloads remote code; the skill bundles a local script (scripts/tweet.js). No external downloads, package installs, or extract steps are present. This is a low-risk install mechanism in that nothing arbitrary is fetched at install-time.
Credentials
The four OAuth env vars required by the script are appropriate for a Twitter posting skill, but the registry metadata does not declare them (no primaryEnv and 'Required env vars: none'). Requesting four sensitive secrets is proportionate to the function itself, but the omission in the declared requirements is a notable governance/visibility problem: users may not realize the skill needs OAuth tokens and may store them in places that broaden exposure. The script also recognizes HTTPS_PROXY and TWITTER_DRY_RUN, which are reasonable optional env vars.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not modify other skills or system-wide settings and does not ask to persist credentials itself beyond recommending storing env vars in instance config or shell profiles (which is normal but has security implications).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install twitter-post - After installation, invoke the skill by name or use
/twitter-post - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: OAuth 1.0a tweet posting with thread, reply, quote support
Metadata
Frequently Asked Questions
What is Twitter Post?
Post tweets to Twitter/X via the official API v2 (OAuth 1.0a). Use when the user asks to tweet, post to Twitter/X, send a thread, reply to a tweet, or quote... It is an AI Agent Skill for Claude Code / OpenClaw, with 3651 downloads so far.
How do I install Twitter Post?
Run "/install twitter-post" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Twitter Post free?
Yes, Twitter Post is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Twitter Post support?
Twitter Post is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Twitter Post?
It is built and maintained by pt (@sit-in); the current version is v1.0.0.
More Skills