← 返回 Skills 市场
gan12003

Twitter API Integration (Web Reversed )

作者 GAN12003 · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
952
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install twitter-api
功能描述
Cookie-based Twitter/X automation toolkit (timeline, notifications, posting, follow ops) for OpenClaw agents.
安全使用建议
This skill contains working code for cookie-based Twitter automation, but it also embeds suspicious artifacts: a default proxy URL with credentials (in twitter_api/config/settings.py), hardcoded auth_token/ct0 values in demo_langchain_tools.py, and a Bearer token in constants. These are red flags because they could (intentionally or accidentally) route your account traffic through a third-party proxy or expose live credentials. Before installing or running: 1) Do not paste real account cookies into .env until you audit and remove/change hardcoded proxies/credentials. 2) Inspect and remove or replace the DEFAULT_PROXY and any embedded tokens; treat any exposed tokens as compromised (rotate/reset them). 3) Run the code in an isolated environment (sandbox/container) and monitor outbound network connections to verify where traffic is sent. 4) Prefer using well-documented, official APIs and credentials rather than cookie re-use; if you must use this, require that the repository author/source is trusted. Because of the mismatches and embedded credentials, consider this skill suspicious and audit thoroughly (or avoid) unless you can validate the proxy owner and rotate any affected credentials.
功能分析
Type: OpenClaw Skill Name: twitter-api Version: 1.0.0 The skill bundle is classified as suspicious due to critical vulnerabilities and high-risk capabilities. The most severe issue is the presence of hardcoded Twitter `AUTH_TOKEN` and `CT0` credentials in `twitter_api/demo_langchain_tools.py`, which represents a significant information leak. Additionally, `twitter_api/config/settings.py` contains a hardcoded proxy URL with credentials. While these are vulnerabilities (leaking the skill's own credentials) rather than direct malicious attacks against the user's system, they are severe security flaws. Furthermore, the `ProfileAPI` and `SubscriptionAPI` expose highly sensitive actions like `change_password`, `delete_phone`, and `create_subscription` (with `payment_method_id`), which, if misused by an AI agent (e.g., via prompt injection), could lead to account compromise or financial loss. A minor issue is the hardcoded local path `C:\Users\IFLW016\Desktop\GanClaw_Workspace\_shared\social_ops` in `scripts/analyze_signal.py`, which affects portability.
能力评估
Purpose & Capability
Name/description match the code: this is a cookie-based Twitter/X client and automation scripts. However the registry metadata declares no required env vars while the code expects many GANCLAW_* account variables (e.g., GANCLAW_X_PRIMARY_AUTH_TOKEN, GANCLAW_X_PRIMARY_CT0) and uses .env files. That mismatch between declared requirements and actual needs is an incoherence: someone building a Twitter cookie client would legitimately need the cookie env vars, so those should be declared.
Instruction Scope
SKILL.md instructs pip install and to copy/fill a .env with auth_token + ct0 and to run scripts (timeline, post, follow). The code follows that, but also reads/writes a repo-level config.json (via twitter_api/config/settings.py) and has helper functions to load token files and save results. The README/instructions do not disclose that the package contains default proxy settings or embedded demo credentials present in code — these broaden behavior beyond the documented scope and pose risk.
Install Mechanism
No formal install spec in registry (instruction-only), SKILL.md relies on 'pip install -r requirements.txt' which is reasonable; requirements are small (aiohttp, tenacity, etc.). Because there is no packaged install step, code files will simply run from the repository. That reduces installer-supply-chain risk but means the provided source code must be trusted and audited before execution.
Credentials
The registry declares no required credentials, yet the code expects many environment vars for account cookies and proxy control. More critically, the repository contains hardcoded secrets: DEFAULT_CONFIG sets a DEFAULT proxy with embedded credentials (beeaVXlWtDSdzRin:[email protected]:1337), demo_langchain_tools.py contains an AUTH_TOKEN and CT0 literal, and constants include an authorization Bearer value. Hardcoded network/proxy credentials and example tokens are disproportionate and can enable traffic routing or token reuse/exfiltration if left unchanged.
Persistence & Privilege
always:false and the skill doesn't request platform-wide privileges. The code does write a config.json in the repository root and provides save_results helpers to write files — standard for a CLI library. However, because a default proxy with credentials exists in configuration, persistent use (e.g., running scripts repeatedly or by an autonomous agent) would cause repeated network traffic possibly routed through those credentials. Autonomous invocation alone is not flagged, but combined with hardcoded proxy credentials this increases blast radius.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install twitter-api
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /twitter-api 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release. Full Twitter/X automation toolkit including: • Async API client using auth_token + ct0 authentication • Tweet creation, replies, engagement, and relationship actions • Timeline + notifications ingestion and analysis workflows • LangChain tool integration for agent-based usage • CLI/helper scripts for monitoring, reporting, and posting Designed for OpenClaw-based autonomous agents and research workflows.
元数据
Slug twitter-api
版本 1.0.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Twitter API Integration (Web Reversed ) 是什么?

Cookie-based Twitter/X automation toolkit (timeline, notifications, posting, follow ops) for OpenClaw agents. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 952 次。

如何安装 Twitter API Integration (Web Reversed )?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install twitter-api」即可一键安装,无需额外配置。

Twitter API Integration (Web Reversed ) 是免费的吗?

是的,Twitter API Integration (Web Reversed ) 完全免费(开源免费),可自由下载、安装和使用。

Twitter API Integration (Web Reversed ) 支持哪些平台?

Twitter API Integration (Web Reversed ) 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Twitter API Integration (Web Reversed )?

由 GAN12003(@gan12003)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论