← 返回 Skills 市场

Tweet Cli

Name: Tweet Cli
Author: 0xmythril

作者 0xmythril · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

775

总下载

当前安装

版本数

在 OpenClaw 中安装

/install tweet-cli

功能描述

Post tweets, replies, and quotes to X/Twitter using the official API v2. Use this instead of bird for posting. Uses API credits so only post when explicitly...

安全使用建议

This skill appears coherent for posting to X/Twitter, but follow these precautions before installing or using it: (1) inspect the GitHub repo and package.json yourself (or run npm pack --dry-run) to confirm there are no postinstall scripts or unexpected telemetry; (2) prefer creating a dedicated API key/account with minimal permissions for automated posting; (3) store credentials in a secure secrets store if available rather than plaintext files (if you use ~/.config/tweet-cli/.env, keep chmod 600 as recommended); (4) be cautious about installing from a GitHub tag — verify the exact tag and review recent commits and releases; (5) ensure the agent asks the user to confirm every post (the SKILL.md instructs this) and do not allow speculative posting. If you want lower-risk verification, request the skill author publish a release tarball or an npm package on the official registry and provide a checksum for audit.

功能分析

Type: OpenClaw Skill Name: tweet-cli Version: 1.0.0 The skill bundle is classified as suspicious due to its reliance on an external GitHub repository (`github:0xmythril/tweet-cli`) for installation via `npm install -g` as specified in `SKILL.md`. This introduces a supply chain risk, as the actual code being installed is not part of the bundle and its security claims (e.g., 'No postinstall scripts', 'No telemetry') cannot be verified from the provided files. While the `SKILL.md` includes strong prompt injection defenses for the AI agent (e.g., 'Do NOT post unless the user explicitly asks', 'Always confirm with the user') and good security practices for credential handling (`chmod 600`), the unverified external dependency during installation poses a significant risk.

能力评估

✓ Purpose & Capability

Name/description (post tweets via X API v2) aligns with required items: a tweet-cli binary and the four X API credentials are exactly what a posting CLI needs. No unrelated credentials, binaries, or config paths are requested.

✓ Instruction Scope

SKILL.md instructs the agent to install and run tweet-cli, create a per-user config file in ~/.config/tweet-cli/.env, and confirm with the user before posting. It does not instruct reading unrelated system files or exfiltrating data. The explicit rule to avoid speculative posting reduces risk.

ℹ Install Mechanism

Install guidance uses npm to install directly from a GitHub tag (npm install -g github:0xmythril/tweet-cli#v1.0.0). This is a common pattern but has more risk than installing a vetted package from a central registry because it pulls code from a repository. The registry metadata shows 'No install spec' while SKILL.md provides an install command — this is a small metadata inconsistency but not a security red flag by itself.

✓ Credentials

The four required environment variables (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET) are the standard credentials needed to post via X's API. No other secrets or unrelated env vars are requested. The instructions store credentials in a user-scoped config file (~/.config/tweet-cli/.env) and recommend chmod 600, which is reasonable for a CLI.

✓ Persistence & Privilege

The skill does not request always: true, does not modify system-wide or other-skill configuration, and its persistent footprint is limited to a per-user config file in the user's home directory. Agent autonomous invocation is allowed by default but not combined with other concerning privileges here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install tweet-cli
安装完成后，直接呼叫该 Skill 的名称或使用 /tweet-cli 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Added a detailed Security section outlining credential handling, lack of telemetry, and dependency transparency. - Updated installation instructions to recommend a version-pinned npm install command. - Specified environment variables required in metadata for clearer configuration requirements. - Improved credential setup steps: added `chmod 600` guidance for restricting access to `.env`. - Clarified depedencies and absence of install scripts in the documentation.

v0.1.0

Initial release of tweet-cli for posting to X/Twitter via API v2 - Allows posting tweets, replies, and quotes using official API v2. - Requires explicit user confirmation before posting, to manage limited monthly API credits. - Provides easy setup instructions for API credentials and authentication. - Includes commands for posting, replying, quoting, deleting tweets, and verifying authentication. - Designed for posting only; directs users to use bird for reading or browsing tweets.

元数据

Slug tweet-cli

版本 1.0.0

许可证 —

累计安装 3

当前安装数 2

历史版本数 2

常见问题

Tweet Cli 是什么？

Post tweets, replies, and quotes to X/Twitter using the official API v2. Use this instead of bird for posting. Uses API credits so only post when explicitly... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 775 次。

如何安装 Tweet Cli？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install tweet-cli」即可一键安装，无需额外配置。

Tweet Cli 是免费的吗？

是的，Tweet Cli 完全免费（开源免费），可自由下载、安装和使用。

Tweet Cli 支持哪些平台？

Tweet Cli 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Tweet Cli？

由 0xmythril（@0xmythril）开发并维护，当前版本 v1.0.0。