← 返回 Skills 市场
1039
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-social-post
功能描述
Post and reply to X/Twitter and Farcaster with text and images. Features multi-account support, dynamic Twitter tier detection (Basic/Premium), auto-variation to avoid duplicate content detection, draft preview, character validation, threads, replies, and image uploads. Consumption-based pricing for X API, pay-per-cast for Farcaster.
安全使用建议
Do not run this skill with live credentials until these issues are resolved. Specific recommendations:
- Ask the author to remove hardcoded /home/phan_harry paths and use $HOME or relative paths so the skill accesses the current user's files only.
- Require and document all needed credentials explicitly (Farcaster custody and signer keys, FARCASTER_CUSTODY_ADDRESS, and any OPENCLAW_GPG_PASSPHRASE), or avoid reading unrelated host files.
- Declare all runtime binaries (node, npm, gpg) and Node package dependencies (e.g., @farcaster/hub-nodejs) or provide an install spec that installs them from known sources.
- Fix tier-detection so it does not attempt real POSTs as a detection method (use safe API endpoints or explicit capability calls that don't create posts), and make dry-run behavior reliable.
- Confirm presence or provide the missing TWITTER_POST_SCRIPT and farcaster-agent repo (or remove reliance on external skill repos).
- If you must test, run the skill in an isolated environment (throwaway account/container) and inspect network calls (outbound endpoints) and file accesses first. If you don't control or verify these fixes, treat the skill as risky because it may read host-specific secrets and could perform unintended posts or external network operations.
功能分析
Type: OpenClaw Skill
Name: openclaw-social-post
Version: 1.5.0
The skill exhibits several vulnerabilities, primarily the use of the `source` command on `.env` files in `lib/farcaster.sh`, `lib/tier-detection.sh`, and `lib/twitter.sh`. This creates a shell injection risk if the `.env` file can be manipulated by an attacker. Additionally, `lib/twitter.sh` references an external script, `twitter-post.sh`, at an absolute path (`/home/phan_harry/.openclaw/workspace/scripts/twitter-post.sh`) which is not included in the bundle and is an undeclared dependency, posing a supply chain risk and functional flaw. While there is no clear evidence of intentional malicious behavior like data exfiltration to unauthorized endpoints or prompt injection attempts against the agent, these vulnerabilities are significant.
能力评估
Purpose & Capability
The declared purpose is social posting to X (Twitter) and Farcaster, which matches the code. However the declared requirements (requires.env only lists X_* keys) omit the Farcaster private keys and custody data that the code actually needs. The code also expects a separate farcaster-agent repo and Node tooling (npm/node) which are not declared. Several scripts hardcode absolute paths under /home/phan_harry/.openclaw (env file, repo, cache), meaning the skill will try to access another user's files rather than the current user's HOME — this is inconsistent and unexpected for a general-purpose social-post skill.
Instruction Scope
SKILL.md instructs storing credentials under ~/.openclaw and using dry-run for testing, but the code: (1) sources /home/phan_harry/.openclaw/.env (absolute path) rather than respecting $HOME/tilde; (2) reads/writes a tier cache at /home/phan_harry/.openclaw/workspace/... and expects a farcaster-agent repo at /home/phan_harry/.openclaw/workspace/skills/farcaster-agent/repo; (3) uses GPG decryption and may read $HOME/.openclaw/.env.secrets.gpg; (4) uploads images to external hosts (catbox.moe, uguu.se) and shortens links via tinyurl — these are expected but should be explicit. Critically, tier detection's Python code attempts an authenticated POST to the API (/2/tweets) with a 281-char test payload to infer limits; that operation may create a real tweet (the code does not reliably perform a safe dry-run), contradicting the SKILL.md's promise that detection is a safe check.
Install Mechanism
No install spec is provided yet the code invokes Node/npm (npm run cast, inline node -e) and expects external Node modules and a farcaster-agent repo. Required binaries declared are bash, curl, jq, python3, shuf — but node/npm and gpg are used and not declared. Having no install step but depending on undeclared tooling and another skill's repo is an incoherent and risky design choice.
Credentials
The manifest requires only X_CONSUMER_KEY etc., but the code needs many additional secrets (FARCASTER custody/private keys, signer keys, FARCASTER_CUSTODY_ADDRESS, possibly OPENCLAW_GPG_PASSPHRASE). The SKILL.md and README instruct storing Farcaster credentials in ~/.openclaw/farcaster-credentials.json or in .env, but these are not listed in requires.env. The skill also supports multi-account prefixes (OXDASX_*) but that mapping is not fully documented in the manifest. Requesting and reading private keys and GPG secrets is necessary for Farcaster posting, but the omission from declared requirements and the hardcoded paths makes the requested secrets disproportionate and under-documented.
Persistence & Privilege
The skill writes a tier cache file (twitter-account-tiers.json) under /home/phan_harry/.openclaw/workspace/memory and may create/read other files in that hardcoded directory. While 'always' is false, the hardcoded file paths reference another user's home and another skill's repo; this gives the skill persistent read/write access to host-specific locations beyond its own isolated workspace. It does not appear to modify other skills' configurations directly, but it depends on and uses other-skill directories (farcaster-agent) which is a privilege/safety concern.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-social-post - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-social-post触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.5.0
Twitter tier detection (Basic/Premium), interactive threading, Farcaster GPG fix, multi-account support, reply functionality, auto-variation
元数据
常见问题
OpenClaw Social Post 是什么?
Post and reply to X/Twitter and Farcaster with text and images. Features multi-account support, dynamic Twitter tier detection (Basic/Premium), auto-variation to avoid duplicate content detection, draft preview, character validation, threads, replies, and image uploads. Consumption-based pricing for X API, pay-per-cast for Farcaster. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1039 次。
如何安装 OpenClaw Social Post?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-social-post」即可一键安装,无需额外配置。
OpenClaw Social Post 是免费的吗?
是的,OpenClaw Social Post 完全免费(开源免费),可自由下载、安装和使用。
OpenClaw Social Post 支持哪些平台?
OpenClaw Social Post 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw Social Post?
由 TeeClaw(@teeclaw)开发并维护,当前版本 v1.5.0。
推荐 Skills