← Back to Skills Marketplace

X/Twitter by altf1be

Name: X/Twitter by altf1be
Author: abdelkrim

by Abdelkrim from Brussels · GitHub ↗ · v1.1.3 · MIT-0

cross-platform ⚠ suspicious

929

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install x-twitter-by-altf1be

Description

Post tweets, threads, and media to X/Twitter via API v2 — secure OAuth 1.0a signing, minimal dependencies (commander + dotenv only).

Usage Guidance

This skill appears to do exactly what it claims: post tweets/threads and upload media using your X/Twitter OAuth keys. Before installing: (1) Verify you trust the skill source (GitHub link in metadata). (2) Keep the four OAuth secrets private (store in .env, do not commit). (3) Run npm install in an isolated environment if you are cautious — package-lock.json is present and shows only 'commander' and 'dotenv'. (4) Note the script will read media files you explicitly pass; it enforces path and extension checks (only under home/working-dir/tmp and common image/video extensions). (5) The README mentions a Bearer Token but the code does not use one — expect only OAuth consumer/access keys. Rotate keys if you later revoke access. If you want additional assurance, review the full scripts/xpost.mjs file before running and test with a throwaway/test account first.

Capability Analysis

Type: OpenClaw Skill Name: x-twitter-by-altf1be Version: 1.1.3 The skill provides a well-structured CLI for interacting with the X (Twitter) API v2. The implementation in `scripts/xpost.mjs` includes proactive security measures, such as a `validateFilePath` function that prevents Local File Inclusion (LFI) by restricting file access to specific allowed directories and blocking sensitive paths like `.ssh`, `.env`, and `/etc/`. It uses standard OAuth 1.0a signing via built-in Node.js crypto modules and maintains a minimal dependency footprint (only `commander` and `dotenv`).

Capability Assessment

✓ Purpose & Capability

Name/description (post tweets/threads/media) matches the code and required environment variables (X_CONSUMER_KEY, X_CONSUMER_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET). No unrelated credentials or external services are requested.

ℹ Instruction Scope

SKILL.md only instructs installing dependencies and running the included CLI. The runtime instructions and the script operate only on user-provided content and the four OAuth env vars. Minor documentation mismatch: README mentions a 'Bearer Token' in prerequisites, but neither SKILL.md nor the code use a bearer token (the script uses OAuth 1.0a and v1.1 upload endpoints for media).

ℹ Install Mechanism

No install spec in registry (instruction-only), but SKILL.md/README instructs 'npm install' which will pull 'commander' and 'dotenv' from the npm registry. This is expected for a Node CLI but carries the usual moderate risk of fetching packages from npm; package-lock.json is included and shows concrete versions.

✓ Credentials

Only the four OAuth secrets required are declared and used by the code; these are proportionate to posting tweets and uploading media. The skill does not request unrelated secrets or system credentials.

✓ Persistence & Privilege

always is false and the skill does not request persistent system-wide privileges. It does not modify other skill configs or system-wide settings.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install x-twitter-by-altf1be
After installation, invoke the skill by name or use /x-twitter-by-altf1be
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.1.3

Fix: remove dead bearerToken code path, fix description inconsistency (was claiming no deps), align versions across files

v1.1.2

Fix: replace dynamic env access with explicit named env vars to avoid false positive security flag

v1.1.1

Re-publish with CLI v0.8.0 to fix blocked status (issue #669)

v1.1.0

Re-publish with updates

v1.0.2

Fix LFI vulnerability: validate file paths for --media and --file options with directory allowlist, sensitive path blocking, and media extension enforcement

v1.0.1

Fix: remove unused deps (crypto, oauth-1.0a), make bearer token optional, accurate security claims

v1.0.0

Initial release: tweet, thread, media, verify via X API v2 with OAuth 1.0a

Metadata

Slug x-twitter-by-altf1be

Version 1.1.3

License MIT-0

All-time Installs 4

Active Installs 3

Total Versions 7

Frequently Asked Questions

What is X/Twitter by altf1be?

Post tweets, threads, and media to X/Twitter via API v2 — secure OAuth 1.0a signing, minimal dependencies (commander + dotenv only). It is an AI Agent Skill for Claude Code / OpenClaw, with 929 downloads so far.

How do I install X/Twitter by altf1be?

Run "/install x-twitter-by-altf1be" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is X/Twitter by altf1be free?

Yes, X/Twitter by altf1be is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does X/Twitter by altf1be support?

X/Twitter by altf1be is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created X/Twitter by altf1be?

It is built and maintained by Abdelkrim from Brussels (@abdelkrim); the current version is v1.1.3.

More Skills