← Back to Skills Marketplace
378
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install hume-x
Description
X/Twitter CLI and SDK for reading, searching, posting, and engagement via cookie auth.
README (SKILL.md)
hume-x
Fast X/Twitter CLI using GraphQL + cookie auth. Full API coverage for tweets, timelines, search, engagement, social, lists, trending, notifications, bookmarks, likes, and scheduled tweets.
Authentication
Uses cookie-based auth. Credentials are resolved in order:
- CLI flags:
--auth-tokenand--ct0 - Environment variables:
X_AUTH_TOKEN+X_CT0(orAUTH_TOKEN+CT0) - Config file:
~/.config/hume-x/config.json - Browser cookies: Firefox (preferred) or Chrome
Run hume-x check to verify credentials. Use hume-x whoami to see the logged-in user.
Posting
hume-x tweet "hello world"
hume-x tweet "check this out" --media image.png --alt "description"
hume-x reply \x3Cid-or-url> "nice thread!"
hume-x quote \x3Cid-or-url> "interesting take"
hume-x delete \x3Ctweet-id>
Supports media upload: images (jpg/png/webp), GIFs, videos with chunked upload.
Reading
hume-x read \x3Cid-or-url>
hume-x thread \x3Cid-or-url>
hume-x replies \x3Cid-or-url> -n 50
Accepts tweet ID or full URL (e.g. https://x.com/user/status/123).
Timeline
hume-x home -n 30
hume-x home --following
hume-x home --cursor "abc123" --pages 3
hume-x user-tweets \x3Cusername> -n 10
Supports cursor-based pagination with --cursor and --pages flags.
Search
hume-x search "query" -n 20
hume-x search "from:username" -n 10
hume-x mentions
hume-x mentions --user \x3Cusername>
Engagement
hume-x like \x3Ctweet-id>
hume-x retweet \x3Ctweet-id>
hume-x bookmark \x3Ctweet-id>
hume-x pin \x3Ctweet-id>
Collections
hume-x bookmarks
hume-x likes
Social
hume-x follow \x3Cusername>
hume-x unfollow \x3Cusername>
hume-x mute \x3Cusername>
hume-x block \x3Cusername>
hume-x following \x3Cusername>
hume-x followers \x3Cusername>
Lists
hume-x lists
hume-x lists --member-of
hume-x list-timeline \x3Clist-id>
Trending
hume-x trending
hume-x trending --tab news
hume-x trending --tab sports
hume-x trending --tab entertainment
Tabs: for-you (default), trending, news, sports, entertainment.
Notifications
hume-x notifications
Scheduled Tweets
hume-x schedule "future tweet" --at "2025-06-01T12:00:00Z"
User Info
hume-x whoami
hume-x about \x3Cusername>
Utility
hume-x check # verify auth credentials
hume-x query-ids # show cached GraphQL query IDs
hume-x refresh-ids # force refresh query IDs from x.com
Output Flags
--json— parsed JSON output (pipe to jq for filtering)--json-full— raw API response JSON--plain— plain text without colors--no-color— disable ANSI colors
hume-x home --json | jq '.[0].text'
hume-x search "topic" --json -n 5
Global Flags
--auth-token \x3Ctoken>— X auth token--ct0 \x3Ctoken>— X ct0 CSRF token--timeout \x3Cms>— request timeout--proxy \x3Curl>— HTTPS/SOCKS5 proxy-n \x3Ccount>— number of results (default varies by command)
Important
- Posting is rate-limited by X. If blocked, wait before retrying.
- Query IDs are auto-scraped from x.com with 24h cache. Use
hume-x refresh-idsif you get 404 errors. - Uses curl-impersonate for reliable HTTP requests to X's GraphQL API.
Usage Guidance
Before installing or running this skill: 1) Treat X_AUTH_TOKEN / CT0 like full-account credentials — do not supply them for your primary account without inspecting the code. 2) Ask the publisher for a public source repo and verify the npm package (@humebio/hume-x) on npm/GitHub; inspect install scripts and what files are read/written. 3) Confirm precisely which browser cookie files or paths it will read (and whether it decrypts OS-protected stores). 4) Prefer using a throwaway/test X account if you want to try it, or run the npm package in an isolated container. 5) Request the registry metadata be corrected to declare required env vars, config paths, and an explicit install spec (or remove the install command from SKILL.md). These discrepancies (undeclared credential access + implied local cookie reads + external install suggestion) are the primary reasons I flagged it as suspicious.
Capability Analysis
Type: OpenClaw Skill
Name: hume-x
Version: 1.0.0
The hume-x skill bundle (SKILL.md) describes a CLI tool for X/Twitter that performs high-risk actions, specifically the automated extraction of authentication cookies from Firefox and Chrome browser profiles and the use of environment variables for session tokens. While these actions are consistent with the tool's stated goal of providing an unofficial API interface via curl-impersonate, the capability to access sensitive local data stores and session secrets presents a significant security risk. No direct evidence of data exfiltration or malicious intent was found in the provided documentation, but the broad access to credentials warrants a suspicious classification.
Capability Assessment
Purpose & Capability
The skill's name/description (X/Twitter CLI using cookie auth) matches the commands and features in SKILL.md. However, the registry metadata claims no required env vars/config paths while SKILL.md explicitly documents X_AUTH_TOKEN/X_CT0, a config file (~/.config/hume-x/config.json), and browser cookie use. That mismatch is unexplained.
Instruction Scope
SKILL.md instructs use of environment variables, a local config file, and reading browser cookies (Firefox/Chrome) to obtain credentials, plus auto-scraping query IDs from x.com. Those actions involve reading other apps' cookie stores and local config files but the skill did not declare those file accesses. This broad local-data access is not fully documented in the registry and could expose sensitive account tokens.
Install Mechanism
The registry lists no install spec, but SKILL.md includes metadata recommending 'npm install -g @humebio/hume-x' and mentions curl-impersonate. The platform scan shows no install script; the presence of a suggested npm package and third-party binary is a discrepancy that should be reconciled and the package source verified.
Credentials
SKILL.md requires/accepts powerful secrets (X_AUTH_TOKEN and X_CT0 / AUTH_TOKEN and CT0) and can pull credentials from browser cookies or a config file, but the registry declares no required env vars or primary credential. These tokens can fully control an account; requesting them (and file access to browser stores) should be explicitly declared and justified.
Persistence & Privilege
The skill is user-invocable and not marked always:true. There is no declared persistent platform-level privilege or modification of other skills/configs. From the registry flags, persistence/privilege appears normal.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install hume-x - After installation, invoke the skill by name or use
/hume-x - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — full X/Twitter CLI skill for OpenClaw agents
Metadata
Frequently Asked Questions
What is hume-x?
X/Twitter CLI and SDK for reading, searching, posting, and engagement via cookie auth. It is an AI Agent Skill for Claude Code / OpenClaw, with 378 downloads so far.
How do I install hume-x?
Run "/install hume-x" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is hume-x free?
Yes, hume-x is completely free (open-source). You can download, install and use it at no cost.
Which platforms does hume-x support?
hume-x is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created hume-x?
It is built and maintained by zeroptis (@zeroptis); the current version is v1.0.0.
More Skills