← 返回 Skills 市场
Tweet Pipeline
作者
Nissan Dookeran
· GitHub ↗
· v1.0.0
350
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install tweet-pipeline
功能描述
Notion-to-Twitter automation — pull approved tweets from a Notion database, schedule one-shot crons for exact post times, and post via X/Twitter OAuth2 API....
安全使用建议
This skill is not outright malicious, but it is inconsistent and requires careful review before use. Key concerns: (1) The scripts do not use the declared NOTION_API_KEY env var — they invoke the 1Password CLI (op) and read a local service token file to pull the Notion key from 1Password; (2) Twitter credentials are read from a local file (~/.xurl), not from declared env vars; (3) the scripts call hardcoded user-specific binaries and paths (a specific python in /Users/loki, /opt/homebrew node, ~/.npm-global/bin/openclaw) that may not exist and reveal assumptions about the developer's machine; (4) there is subprocess usage of 'op' and 'openclaw cron add' which will access your password manager and schedule jobs on your system. Recommended actions before installing or running: - Ask the author to explain why NOTION_API_KEY is declared but not used, and to list all required binaries (op, node, openclaw CLI). - Inspect and/or sanitize ~/.xurl and remove sensitive credentials, or modify scripts to accept Twitter creds via environment variables instead of reading a local file. - Replace hardcoded paths with configurable values or relative paths. - Run the scripts in a controlled sandbox or test account first (dry-run mode is provided). - Ensure you are comfortable granting the skill access to your 1Password service account token and to schedule crons on your machine; if not, do not run it. - Because the refresh logic contains buggy/undefined variables, review and fix that function before trusting automatic token refresh or credential writes.
功能分析
Type: OpenClaw Skill
Name: tweet-pipeline
Version: 1.0.0
The skill contains hardcoded absolute paths to a specific user's home directory (/Users/loki/) and attempts to read sensitive credentials from the host filesystem, specifically ~/.xurl and ~/.config/openclaw/.op-service-token. It relies on the 1Password CLI (op) to fetch secrets, which is a high-privilege operation. While these behaviors appear intended for a specific personal automation setup, the hardcoded environment dependencies and the practice of accessing sensitive files outside the workspace are risky. Additionally, scripts/tweet_post_one.py contains broken logic with undefined variables (refresh, user, xurl_path) in its token refresh function.
能力评估
Purpose & Capability
The skill description says it reads Notion and posts to X/Twitter and declares NOTION_API_KEY as the primary credential. However, both scripts do not use an environment NOTION_API_KEY; instead they call the 1Password CLI ('op') and read ~/.config/openclaw/.op-service-token plus op:// paths to retrieve the Notion key. They also read a local YAML file (~/.xurl) for Twitter OAuth1 credentials. The code expects other local tools/paths (op, node, openclaw CLI, specific python path and home-directory paths) that are not declared in the metadata.
Instruction Scope
SKILL.md describes polling Notion and scheduling crons, which matches high-level behavior, but the runtime instructions in the scripts go beyond that: they read local config and secret files, execute the 1Password CLI via subprocess, schedule crons by calling a hardcoded node+openclaw binary, and write a state file under ~/.openclaw. The poster script also contains a token-refresh function that references undefined variables and may attempt to read/write local credential files. The instructions therefore access filesystem and credential sources not described in the skill metadata.
Install Mechanism
There is no install spec (instruction-only), so nothing will be downloaded at install. That lowers install-time risk, but the scripts call external binaries (op, node, openclaw, a specific python under /Users/loki/.pyenv) that are assumed to exist. The skill metadata only required python3; it does not declare 'op' or the openclaw/node binaries it will invoke.
Credentials
The declared required env vars list only NOTION_API_KEY, yet the code ignores that env var and instead requires access to other secrets: a local service-account token file (~/.config/openclaw/.op-service-token) used with the 1Password CLI and a local YAML (~/.xurl) containing Twitter consumer/access tokens. These undeclared secrets and file reads are disproportionate to the declared requirement and are security-relevant.
Persistence & Privilege
always:false and the skill writes only its own state file (~/.openclaw/workspace/memory/scheduled-tweets.json) and schedules one-shot crons via the openclaw CLI. It does modify Notion pages (updating Status/Posted At), which is expected for a poster. It does not declare 'always:true' or modify other skills, but cron scheduling and reliance on local CLI tools means it creates persistent scheduled work on the host if run.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tweet-pipeline - 安装完成后,直接呼叫该 Skill 的名称或使用
/tweet-pipeline触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — Notion-to-Twitter automation.
- Pulls approved tweets from a Notion database.
- Schedules one-shot cron jobs for precise posting times.
- Posts to X/Twitter via OAuth2 API.
- Tracks tweet status to prevent duplicates.
- Designed for managing and automating social content calendars using Notion.
元数据
常见问题
Tweet Pipeline 是什么?
Notion-to-Twitter automation — pull approved tweets from a Notion database, schedule one-shot crons for exact post times, and post via X/Twitter OAuth2 API.... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 350 次。
如何安装 Tweet Pipeline?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tweet-pipeline」即可一键安装,无需额外配置。
Tweet Pipeline 是免费的吗?
是的,Tweet Pipeline 完全免费(开源免费),可自由下载、安装和使用。
Tweet Pipeline 支持哪些平台?
Tweet Pipeline 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Tweet Pipeline?
由 Nissan Dookeran(@nissan)开发并维护,当前版本 v1.0.0。
推荐 Skills