← 返回 Skills 市场
Twitter Automation
作者
Ömer Karışman
· GitHub ↗
· v0.1.5
2287
总下载
2
收藏
20
当前安装
2
版本数
在 OpenClaw 中安装
/install twitter-automation
功能描述
Automate Twitter/X with posting, engagement, and user management via inference.sh CLI. Apps: x/post-tweet, x/post-create (with media), x/post-like, x/post-re...
安全使用建议
This skill appears to do what it says (Twitter/X automation via the inference.sh CLI), but take precautions before installing: 1) Do not blindly run curl | sh — instead download the installer, inspect the script, and verify the SHA-256 checksums against the checksums.txt over HTTPS. 2) Confirm the legitimacy of inference.sh/dist.inference.sh (who operates them, repo, release signatures) before trusting binaries from that domain. 3) Understand what 'infsh login' does: what credentials it requests, where tokens are stored, and whether the CLI will forward your Twitter/X credentials to a third party. 4) Test with a throwaway or restricted account first, since automated likes/DMs/follows can violate platform TOS and risk account suspension. 5) If you want lower risk, prefer vendor-distributed packages on trusted registries or build from source and verify signatures; request the skill author include an explicit install spec or vetted package link. If you need help analyzing the installer script or the CLI's auth flow, provide the script or the relevant docs and I can review them.
功能分析
Type: OpenClaw Skill
Name: twitter-automation
Version: 0.1.5
The `SKILL.md` file contains instructions that, if followed by the OpenClaw agent, would bypass its declared security policy (`allowed-tools: Bash(infsh *)`). Specifically, the 'Quick Start' section instructs the agent to execute `curl -fsSL https://cli.inference.sh | sh` and the 'Related Skills' section instructs `npx skills add ...`. Both `curl | sh` and `npx` commands do not start with `infsh`, representing a prompt injection vulnerability that could lead to arbitrary remote code execution (RCE) and supply chain risks if the remote scripts or npm packages are compromised. While the stated purpose of these commands is installation and adding related skills, the method used introduces significant security vulnerabilities.
能力评估
Purpose & Capability
Name, description, and runtime instructions align: the SKILL.md consistently describes using the inference.sh CLI to post, like, retweet, DM, follow, and query X/Twitter. The actions and example commands map to the stated purpose. No unrelated services or credentials are requested in the manifest.
Instruction Scope
The instructions stay within the scope of social automation (install CLI, run infsh app run <app> with JSON inputs). They do instruct 'infsh login' which implies creating/storing authentication tokens via the CLI, but they do not instruct reading arbitrary local files or exfiltrating data. However, the SKILL.md also references other platform apps (image/video generation) which may require their own credentials or external uploads; that increases the attack surface if you follow those workflows.
Install Mechanism
There is no install spec in the registry; instead SKILL.md suggests piping a remote install script (curl -fsSL https://cli.inference.sh | sh) that downloads a binary from dist.inference.sh. That is a high-risk install pattern: it pulls and runs code from a third-party domain rather than a well-known package host. The doc claims SHA-256 checksums are available, but verification is manual and depends on the user trusting the distribution site and TLS chain. This is the main security concern.
Credentials
The registry declares no required environment variables or primary credential, but the runtime requires 'infsh login' (i.e., the CLI will obtain and store auth tokens). That is reasonable for a social media automation tool, but it's not explicit in the manifest—so you should verify what credentials/tokens the CLI requests, where it stores them, and whether it requires OAuth/API keys for X/Twitter or proxies them through inference.sh.
Persistence & Privilege
The skill does not request always:true and has no install spec in the registry that would force persistent system presence. The CLI login will likely store tokens/config in the user's home directory (expected behaviour) but the skill itself doesn't declare system-wide privileges or modify other skills.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install twitter-automation - 安装完成后,直接呼叫该 Skill 的名称或使用
/twitter-automation触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.5
- Expanded documentation with detailed CLI usage examples for posting, engagement, and user management on Twitter/X.
- Clarified available apps and their usage, including new examples for posting media, liking, retweeting, DMs, following users, and more.
- Added workflow examples to automate posting of AI-generated images and videos.
- Provided installation, security notes, and links to related skills and platform documentation.
v0.1.0
Initial release – automate Twitter/X actions using inference.sh CLI.
- Supports posting tweets (text & media), liking, retweeting, sending DMs, following users, and profile lookups.
- Provides CLI command examples for each action.
- Includes sample workflows for generating AI images/videos and posting them.
- Links to documentation and related automation skills for extended functionality.
元数据
常见问题
Twitter Automation 是什么?
Automate Twitter/X with posting, engagement, and user management via inference.sh CLI. Apps: x/post-tweet, x/post-create (with media), x/post-like, x/post-re... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2287 次。
如何安装 Twitter Automation?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install twitter-automation」即可一键安装,无需额外配置。
Twitter Automation 是免费的吗?
是的,Twitter Automation 完全免费(开源免费),可自由下载、安装和使用。
Twitter Automation 支持哪些平台?
Twitter Automation 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Twitter Automation?
由 Ömer Karışman(@okaris)开发并维护,当前版本 v0.1.5。
推荐 Skills