功能描述

X/Twitter integration — post, reply, search, like, follow, DMs, and mentions via the official X API v2

使用说明 (SKILL.md)

Clawbird — X/Twitter Tools

Name: Clawbird
Author: xonder

You have access to 13 tools for interacting with X (Twitter) via the official X API v2. All tools return JSON with results and estimated API cost.

Authentication & Credentials

This plugin authenticates to the X API using OAuth 1.0a User Context for write operations (posting, liking, following, DMs) and optionally a Bearer Token for read-only operations (search, user lookup).

Where credentials come from: You must generate them at the X Developer Portal:

Create a Project and App at developer.x.com
Generate OAuth 1.0a keys: API Key, API Secret, Access Token, Access Token Secret
Optionally generate a Bearer Token for read-only operations

How credentials are provided: Credentials are passed to the plugin at runtime by the OpenClaw plugin config system (pluginConfig). The plugin never reads config files directly. Fallback: environment variables X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_SECRET, X_BEARER_TOKEN.

No credentials are hardcoded or bundled. The plugin will return a clear error if credentials are missing.

External Endpoints

All network requests go exclusively to the official X API v2. No other hosts are contacted.

Endpoint	Method	Tool(s)	Data Sent
`https://api.x.com/2/tweets`	POST	x_post_tweet, x_post_thread, x_reply_tweet	Tweet text, reply metadata
`https://api.x.com/2/tweets/:id`	GET	x_get_tweet	Tweet ID
`https://api.x.com/2/tweets/search/recent`	GET	x_search_tweets	Search query string
`https://api.x.com/2/users/me`	GET	x_like_tweet, x_get_mentions, x_follow_user	(auth headers only)
`https://api.x.com/2/users/by/username/:username`	GET	x_get_user_profile, x_send_dm, x_follow_user	Username
`https://api.x.com/2/users/:id/likes`	POST	x_like_tweet	Tweet ID
`https://api.x.com/2/users/:id/mentions`	GET	x_get_mentions	User ID, pagination params
`https://api.x.com/2/users/:id/following`	POST	x_follow_user	Target user ID
`https://api.x.com/2/dm_conversations/with/:id/messages`	POST	x_send_dm	Message text, recipient ID
`https://api.x.com/2/dm_conversations/with/:id/dm_events`	GET	x_get_dms (filtered)	Participant ID
`https://api.x.com/2/dm_events`	GET	x_get_dms (all)	Pagination params

Security & Privacy

Network access: Only api.x.com (official X API). No other domains are contacted.
Local file access: Writes a session-scoped clawbird-interactions.jsonl file to the working directory, logging mutation actions (posts, likes, follows, DMs) so the agent can avoid duplicating work. No other files are read or written beyond the declared environment variables.
Credential handling: OAuth tokens are read from plugin config or env vars at runtime and passed to the X API via signed HTTP headers. They are never logged, cached to disk, or transmitted to any third party.
Data sent to X: Only the data you explicitly provide in tool parameters (tweet text, search queries, usernames, message text). No additional user data is collected or sent.
Data received from X: Tweet content, user profiles, DM messages, and engagement metrics as returned by the X API. This data is returned to the agent as JSON and not stored.

Trust Statement

Clawbird is an npm-distributed skill — the runtime code is installed via npm i -g @xonder/clawbird and is not bundled in the ClawHub skill archive. The security properties below can be verified by auditing the source:

Source: https://github.com/xonder/clawbird (MIT)
npm: https://www.npmjs.com/package/@xonder/clawbird
Makes no network requests other than to api.x.com (source: src/client.ts)
Reads and writes one local file (clawbird-interactions.jsonl) for session interaction logging — no other filesystem access (source: src/interaction-log.ts)
Has zero transitive dependencies beyond the official @xdevplatform/xdk SDK and @sinclair/typebox
Includes a comprehensive test suite (200+ tests) verifiable via npm test

Since this skill installs code from npm at runtime, review the source or pin a specific version (npm i -g @xonder/[email protected]) before granting credentials.

Write Actions & Autonomous Use

The following tools modify remote state on your X account:

Tool	Action	Reversible?
x_post_tweet	Posts a tweet	Delete manually
x_post_thread	Posts multiple tweets	Delete manually
x_reply_tweet	Posts a reply	Delete manually
x_like_tweet	Likes a tweet	Unlike manually
x_follow_user	Follows a user	Unfollow manually
x_send_dm	Sends a direct message	Cannot unsend

Recommendation: If running autonomously, consider requiring explicit user confirmation before write actions by configuring agent-level tool policies. Read-only tools (x_get_tweet, x_search_tweets, x_get_user_profile, x_get_mentions, x_get_dms, x_get_cost_summary) are safe for autonomous use.

Available Tools

Posting

x_post_tweet — Post a single tweet.

text (required): Tweet content (max 280 chars)
Returns: { id, text, url, estimatedCost }

x_post_thread — Post a multi-tweet thread.

tweets (required): Array of tweet texts (posted in order, each as a reply to the previous)
Returns: { threadId, tweetCount, tweets: [{ id, text, url }], estimatedCost }

x_reply_tweet — Reply to an existing tweet.

tweetId (required): Tweet ID or full URL (e.g. https://x.com/user/status/123456)
text (required): Reply content (max 280 chars)
Returns: { id, text, url, inReplyTo, estimatedCost }

Engagement

x_like_tweet — Like a tweet.

tweetId (required): Tweet ID or full URL
Returns: { liked, tweetId, estimatedCost }

Social

x_follow_user — Follow a user.

username (required): Username to follow (with or without @)
Returns: { following, user: { id, username }, estimatedCost }

Research

x_get_tweet — Get a single tweet by ID or URL.

tweetId (required): Tweet ID or full URL (e.g. https://x.com/user/status/123456)
Returns: { id, text, authorId, createdAt, metrics, conversationId, lang, url, author: { id, name, username, verified, profileImageUrl }, estimatedCost }

x_search_tweets — Search recent tweets (last 7 days).

query (required): Search query — supports X operators like from:user, #hashtag, "exact phrase", -exclude, lang:en
maxResults (optional): 10–100, default 10
Returns: { query, resultCount, tweets: [{ id, text, authorId, createdAt, metrics, url }], estimatedCost }

x_get_user_profile — Get a user's profile.

username (required): Username with or without @
Returns: { id, name, username, description, followersCount, followingCount, tweetCount, verified, profileImageUrl, url, createdAt, location, profileUrl, estimatedCost }

x_get_mentions — Get recent mentions of the authenticated account.

maxResults (optional): 5–100, default 10
Returns: { resultCount, mentions: [{ id, text, authorId, createdAt, metrics, url }], estimatedCost }

Direct Messages

x_send_dm — Send a direct message to a user.

username (required): Recipient's username (with or without @)
text (required): Message content
Returns: { sent, eventId, conversationId, recipient: { id, username }, estimatedCost }

x_get_dms — Get recent direct messages.

username (optional): Filter DMs to a specific user's conversation
maxResults (optional): 1–100, default 10
Returns: { resultCount, messages: [{ id, text, senderId, createdAt, conversationId, eventType }], estimatedCost }

Utility

x_get_interaction_log — Get the log of all write actions performed this session (posts, replies, likes, follows, DMs). Useful to review what has already been done and avoid duplicating actions.

limit (optional): Maximum number of recent entries to return (default: all)
Returns: { totalEntries, returned, logFile, entries: [{ timestamp, action, summary, details }] }

x_get_cost_summary — Get cumulative API cost for this session.

No parameters required
Returns: { totalCost, breakdown: { [action]: { calls, totalCost } } }

Best Practices

Search Queries

Use from:username to search a specific user's tweets
Use #hashtag for hashtag search
Use "exact phrase" for exact matches
Combine operators: #AI from:openai -is:retweet lang:en
Use -is:retweet to filter out retweets

Thread Formatting

Keep each tweet under 280 characters
Start with a strong hook in tweet 1
Number tweets (1/N) for long threads
End with a call to action or summary

Cost Awareness

Every tool response includes an estimatedCost field. Approximate costs:

Post/Reply: ~$0.01 per tweet
Like: ~$0.005
Search: ~$0.005 per result
User lookup: ~$0.001
Mentions: ~$0.005 per result
Send DM: ~$0.01
Read DMs: ~$0.005 per result
Get tweet: ~$0.005

Use x_get_cost_summary to check cumulative session spend before expensive operations.

Rate Limits

Posting: 200 tweets per 15 minutes
Search: 180 requests per 15 minutes (user), 450 (app)
Likes: 50 per 15 minutes
User lookup: 900 per 15 minutes
Mentions: 180 per 15 minutes
DMs: 200 messages per 15 minutes, 1000 per 24 hours
Following: 400 per 24 hours

Error Handling

All tools return errors as { error: "message", details?: ... }. Common issues:

Rate limiting (wait and retry)
Authentication errors (check API credentials)
Tweet not found (verify ID/URL)
Empty text (provide non-empty content)

安全使用建议

This skill looks internally consistent for an X/Twitter integration, but take these precautions before installing: - Audit or review the npm package source (https://github.com/xonder/clawbird and the npm page) before running npm i. Prefer installing a pinned version (e.g., npm i -g @xonder/[email protected]). - Limit the credentials you provide: when you only need read-only access, use a Bearer Token with read scope rather than full OAuth write tokens. Create and use dedicated developer keys for the agent rather than your primary account keys. - Be aware the skill will write a local file clawbird-interactions.jsonl in the working directory; review its contents and permissions if that matters for privacy. - If you allow autonomous agent use, require explicit confirmation for any write actions (posting, liking, following, sending DMs) via agent tool policies. - Consider running npm audit and inspecting install scripts for the package before global install. If you are not comfortable auditing, avoid granting the OAuth tokens. If you want greater assurance, provide the registry maintainers' provenance (signed releases, pinned checksum) or test the package in an isolated environment (container) first.

功能分析

Type: OpenClaw Skill Name: clawbird Version: 1.0.3 The OpenClaw AgentSkills skill bundle for 'clawbird' is classified as benign. The `SKILL.md` file transparently details the skill's purpose (X/Twitter integration), required credentials, network endpoints (exclusively `api.x.com`), and local file access (only `clawbird-interactions.jsonl` for logging). It explicitly warns about write actions and recommends user confirmation for autonomous use. While the skill installs an external npm package (`@xonder/clawbird`), this is openly declared as a supply chain consideration, with links to source code and npm, and advice to review or pin versions. There is no evidence of prompt injection, data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or obfuscation within the provided files.

能力评估

✓ Purpose & Capability

Name/description (X/Twitter integration) match the declared env vars (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_SECRET) and the npm package @xonder/clawbird. The requested credentials are exactly what an OAuth 1.0a X client needs.

ℹ Instruction Scope

SKILL.md confines network traffic to the official X API and documents only writing a single session-scoped log file (clawbird-interactions.jsonl) to the working directory for mutation deduplication. This is within scope, but the doc also claims 'data is not stored' while explicitly stating it writes that interaction log — a small inconsistency to clarify (what exactly is logged).

ℹ Install Mechanism

Install is via npm (@xonder/clawbird), which is consistent with the 'npm-distributed skill' claim. Installing a third‑party global npm package is expected here but carries normal supply‑chain risk (install scripts, transitive dependencies). The SKILL.md sensibly recommends pinning and auditing the package.

ℹ Credentials

Declared env vars (OAuth key/secret and access token/secret) are appropriate. The doc mentions an optional X_BEARER_TOKEN fallback but that variable is not listed in requires.env — a minor mismatch worth correcting. No unrelated credentials are requested.

✓ Persistence & Privilege

The skill does not request always:true and does not ask for system-wide config changes. It will create a session-scoped interaction log in the working directory; this is a modest persistence request tied to avoiding duplicate actions. The skill exposes write-capable tools (tweet, like, follow, DM) — the doc correctly recommends requiring confirmations for autonomous write actions.

版本历史

v1.0.3

**Security and trust section updated for clarity on credentials, installation, and review.** - Clarified credential injection: credentials must be provided via OpenClaw plugin config at runtime; no direct config file reads. - Updated trust statement to specify runtime npm installation, linking to source and npm, and suggesting source audit/pinning for security. - Stated test coverage now at 200+ tests. - Emphasized no bundled code—runtime code is installed from npm, not included in skill archive. - Minor rewording of security and configuration sections for accuracy and transparency.

v1.0.2

- Added session-scoped interaction logging: mutation actions (posts, likes, follows, DMs) are now recorded in a local `clawbird-interactions.jsonl` file to help avoid duplicate work. - Updated the security and trust statements to reflect the new local interaction log file (reads and writes one file; no other filesystem access). - Introduced a new tool: `x_get_interaction_log` for retrieving all write actions performed during the session. - Increased tool count from 12 to 13. - Other documentation updates to clarify new functionality.

v1.0.1

- Added a new `metadata` section with OpenClaw-specific configuration, including plugin requirements and installation instructions. - Declared required environment variables and clarified `primaryEnv` for X API integration. - No changes to tools or functional behavior; documentation only.

v1.0.0

Initial release with detailed security, authentication, and API usage documentation. - Clarified that all interactions use the official X (Twitter) API v2 and require user-provided OAuth credentials. - Added explicit documentation of credential handling, network endpoints used, and data privacy practices. - Listed all API tools and separated them by category (Posting, Engagement, Social, Research, Direct Messages, Utility). - Provided a summary of security model: network access scope, file access, dependencies, and trust statement. - Included recommendations for autonomous use and described which actions modify remote state. - Specified all required environment variables and configuration methods.

v0.1.0

Clawbird initial release — interact with X/Twitter in real time - Post tweets, threads, and replies directly from the skill - Search tweets, fetch user profiles, and monitor mentions - Like tweets and follow users easily - Send and receive direct messages - Track real-time API costs and rate limits for each action - JSON-formatted responses and clear error handling included

元数据

Slug clawbird

版本 1.0.3

许可证 —

累计安装 1

当前安装数 1

历史版本数 5

常见问题

Clawbird 是什么？

X/Twitter integration — post, reply, search, like, follow, DMs, and mentions via the official X API v2. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 742 次。

如何安装 Clawbird？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawbird」即可一键安装，无需额外配置。

Clawbird 是免费的吗？

是的，Clawbird 完全免费（开源免费），可自由下载、安装和使用。

Clawbird 支持哪些平台？

Clawbird 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Clawbird？

由 xonder（@xonder）开发并维护，当前版本 v1.0.3。

Clawbird