← 返回 Skills 市场
378
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install hume-x
功能描述
X/Twitter CLI and SDK for reading, searching, posting, and engagement via cookie auth.
使用说明 (SKILL.md)
hume-x
Fast X/Twitter CLI using GraphQL + cookie auth. Full API coverage for tweets, timelines, search, engagement, social, lists, trending, notifications, bookmarks, likes, and scheduled tweets.
Authentication
Uses cookie-based auth. Credentials are resolved in order:
- CLI flags:
--auth-tokenand--ct0 - Environment variables:
X_AUTH_TOKEN+X_CT0(orAUTH_TOKEN+CT0) - Config file:
~/.config/hume-x/config.json - Browser cookies: Firefox (preferred) or Chrome
Run hume-x check to verify credentials. Use hume-x whoami to see the logged-in user.
Posting
hume-x tweet "hello world"
hume-x tweet "check this out" --media image.png --alt "description"
hume-x reply \x3Cid-or-url> "nice thread!"
hume-x quote \x3Cid-or-url> "interesting take"
hume-x delete \x3Ctweet-id>
Supports media upload: images (jpg/png/webp), GIFs, videos with chunked upload.
Reading
hume-x read \x3Cid-or-url>
hume-x thread \x3Cid-or-url>
hume-x replies \x3Cid-or-url> -n 50
Accepts tweet ID or full URL (e.g. https://x.com/user/status/123).
Timeline
hume-x home -n 30
hume-x home --following
hume-x home --cursor "abc123" --pages 3
hume-x user-tweets \x3Cusername> -n 10
Supports cursor-based pagination with --cursor and --pages flags.
Search
hume-x search "query" -n 20
hume-x search "from:username" -n 10
hume-x mentions
hume-x mentions --user \x3Cusername>
Engagement
hume-x like \x3Ctweet-id>
hume-x retweet \x3Ctweet-id>
hume-x bookmark \x3Ctweet-id>
hume-x pin \x3Ctweet-id>
Collections
hume-x bookmarks
hume-x likes
Social
hume-x follow \x3Cusername>
hume-x unfollow \x3Cusername>
hume-x mute \x3Cusername>
hume-x block \x3Cusername>
hume-x following \x3Cusername>
hume-x followers \x3Cusername>
Lists
hume-x lists
hume-x lists --member-of
hume-x list-timeline \x3Clist-id>
Trending
hume-x trending
hume-x trending --tab news
hume-x trending --tab sports
hume-x trending --tab entertainment
Tabs: for-you (default), trending, news, sports, entertainment.
Notifications
hume-x notifications
Scheduled Tweets
hume-x schedule "future tweet" --at "2025-06-01T12:00:00Z"
User Info
hume-x whoami
hume-x about \x3Cusername>
Utility
hume-x check # verify auth credentials
hume-x query-ids # show cached GraphQL query IDs
hume-x refresh-ids # force refresh query IDs from x.com
Output Flags
--json— parsed JSON output (pipe to jq for filtering)--json-full— raw API response JSON--plain— plain text without colors--no-color— disable ANSI colors
hume-x home --json | jq '.[0].text'
hume-x search "topic" --json -n 5
Global Flags
--auth-token \x3Ctoken>— X auth token--ct0 \x3Ctoken>— X ct0 CSRF token--timeout \x3Cms>— request timeout--proxy \x3Curl>— HTTPS/SOCKS5 proxy-n \x3Ccount>— number of results (default varies by command)
Important
- Posting is rate-limited by X. If blocked, wait before retrying.
- Query IDs are auto-scraped from x.com with 24h cache. Use
hume-x refresh-idsif you get 404 errors. - Uses curl-impersonate for reliable HTTP requests to X's GraphQL API.
安全使用建议
Before installing or running this skill: 1) Treat X_AUTH_TOKEN / CT0 like full-account credentials — do not supply them for your primary account without inspecting the code. 2) Ask the publisher for a public source repo and verify the npm package (@humebio/hume-x) on npm/GitHub; inspect install scripts and what files are read/written. 3) Confirm precisely which browser cookie files or paths it will read (and whether it decrypts OS-protected stores). 4) Prefer using a throwaway/test X account if you want to try it, or run the npm package in an isolated container. 5) Request the registry metadata be corrected to declare required env vars, config paths, and an explicit install spec (or remove the install command from SKILL.md). These discrepancies (undeclared credential access + implied local cookie reads + external install suggestion) are the primary reasons I flagged it as suspicious.
功能分析
Type: OpenClaw Skill
Name: hume-x
Version: 1.0.0
The hume-x skill bundle (SKILL.md) describes a CLI tool for X/Twitter that performs high-risk actions, specifically the automated extraction of authentication cookies from Firefox and Chrome browser profiles and the use of environment variables for session tokens. While these actions are consistent with the tool's stated goal of providing an unofficial API interface via curl-impersonate, the capability to access sensitive local data stores and session secrets presents a significant security risk. No direct evidence of data exfiltration or malicious intent was found in the provided documentation, but the broad access to credentials warrants a suspicious classification.
能力评估
Purpose & Capability
The skill's name/description (X/Twitter CLI using cookie auth) matches the commands and features in SKILL.md. However, the registry metadata claims no required env vars/config paths while SKILL.md explicitly documents X_AUTH_TOKEN/X_CT0, a config file (~/.config/hume-x/config.json), and browser cookie use. That mismatch is unexplained.
Instruction Scope
SKILL.md instructs use of environment variables, a local config file, and reading browser cookies (Firefox/Chrome) to obtain credentials, plus auto-scraping query IDs from x.com. Those actions involve reading other apps' cookie stores and local config files but the skill did not declare those file accesses. This broad local-data access is not fully documented in the registry and could expose sensitive account tokens.
Install Mechanism
The registry lists no install spec, but SKILL.md includes metadata recommending 'npm install -g @humebio/hume-x' and mentions curl-impersonate. The platform scan shows no install script; the presence of a suggested npm package and third-party binary is a discrepancy that should be reconciled and the package source verified.
Credentials
SKILL.md requires/accepts powerful secrets (X_AUTH_TOKEN and X_CT0 / AUTH_TOKEN and CT0) and can pull credentials from browser cookies or a config file, but the registry declares no required env vars or primary credential. These tokens can fully control an account; requesting them (and file access to browser stores) should be explicitly declared and justified.
Persistence & Privilege
The skill is user-invocable and not marked always:true. There is no declared persistent platform-level privilege or modification of other skills/configs. From the registry flags, persistence/privilege appears normal.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install hume-x - 安装完成后,直接呼叫该 Skill 的名称或使用
/hume-x触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — full X/Twitter CLI skill for OpenClaw agents
元数据
常见问题
hume-x 是什么?
X/Twitter CLI and SDK for reading, searching, posting, and engagement via cookie auth. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 378 次。
如何安装 hume-x?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install hume-x」即可一键安装,无需额外配置。
hume-x 是免费的吗?
是的,hume-x 完全免费(开源免费),可自由下载、安装和使用。
hume-x 支持哪些平台?
hume-x 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 hume-x?
由 zeroptis(@zeroptis)开发并维护,当前版本 v1.0.0。
推荐 Skills