← 返回 Skills 市场
Twitter Autopilot
作者
persnola1-sketch
· GitHub ↗
· v1.3.1
668
总下载
0
收藏
1
当前安装
5
版本数
在 OpenClaw 中安装
/install twitter-autopilot
功能描述
Automate Twitter/X posting, engagement, and growth for OpenClaw AI agents. Use when setting up an agent's Twitter presence, posting tweets, running engagemen...
安全使用建议
This skill appears to do what it says (automate Twitter/X posting) and includes a usable Python script, but pay attention to these points before installing:
- Metadata mismatch: The registry claims no required env vars, yet SKILL.md and the script require sensitive Twitter credentials (API key/secret and access token/secret, optional bearer token). Treat that as a red flag — the platform's permission UI may not surface these needs.
- Real-world effects: If you supply live account credentials and allow autonomous invocation, the agent can post, follow, unfollow, delete, and otherwise act on your public account. Run in DRAFT mode or use a separate test account until you trust it.
- Secrets handling: Only provide keys you are willing to revoke. Prefer a dedicated API key/token pair with minimal permissions. Rotate tokens after testing. Do not use credentials tied to a high-value or organizational account.
- Review and limit autonomy: If possible, require human approval (MODE.md DRAFT) for initial posts, or disable autonomous cron jobs. Audit logs in twitter/posted-log.md regularly.
- Code review: The included script looks straightforward and contains no obvious remote exfiltration or obfuscated endpoints, but confirm that log paths and files are acceptable for your environment and that you are comfortable with the script writing to disk.
If you want to proceed: update the registry metadata to declare the required environment variables (so reviewers and automated gates can surface them), test against a disposable/test account, and enforce draft approval until behavior is verified.
功能分析
Type: OpenClaw Skill
Name: twitter-autopilot
Version: 1.3.1
The skill is classified as suspicious due to a local file inclusion/arbitrary file read/write vulnerability in `scripts/tweet.py`. Specifically, the `queue`, `mode`, and `check-dupe` commands can accept arbitrary file paths as arguments, allowing an attacker or a misconfigured AI agent to read or write files outside the intended `twitter/` directory (e.g., `python tweet.py queue /etc/passwd`). While the `SKILL.md` documentation does not instruct the agent to exploit this, the underlying code lacks input validation for these paths, presenting a clear security risk without evidence of intentional malicious design.
能力评估
Purpose & Capability
The SKILL.md and scripts/tweet.py both implement Twitter/X posting, follows, replies, threads, and local draft/log management — behavior consistent with the description. However, the registry metadata reports no required environment variables or primary credential while SKILL.md (and the code) require multiple Twitter OAuth credentials; this metadata mismatch is an incoherence that affects permission review and automated gating.
Instruction Scope
The runtime instructions and the included script stick to the described scope: they use tweepy, require Twitter credentials, post tweets, follow/unfollow, and read/write files under a twitter/ directory (MODE.md, queue.md, drafts, posted-log.md, logs/). The skill does perform actions with real-world effects (posting, following) and instructs cron/autonomous operation, which raises operational risk but is within the stated purpose.
Install Mechanism
This is an instruction-only skill with a bundled Python script; there is no install spec or remote download. The only dependency is pip-installable 'tweepy' as documented. No external or obscure install URLs are used.
Credentials
The skill requires multiple sensitive environment variables (TWITTER_API_KEY, TWITTER_API_SECRET, TWITTER_ACCESS_TOKEN, TWITTER_ACCESS_SECRET, optional TWITTER_BEARER_TOKEN) which are appropriate for Twitter integration, but the registry metadata does not declare them (no primaryEnv and 'required env vars: none'). That mismatch is a security/process concern: automated systems or reviewers won't know the skill needs credentials, and users may supply secrets without realizing the skill will use them to perform public actions. Also, because follow/read operations use the bearer token, missing/incorrect env handling could cause crashes or unexpected behavior.
Persistence & Privilege
The skill is not set to always:true and does not request system-wide changes; it only reads/writes its own twitter/ files. Autonomous invocation is allowed (default), which is expected for an automation skill — but combined with the ability to post and follow using real account credentials, autonomous execution increases blast radius and should be controlled (e.g., draft mode, human approval, or run with a separate test account).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install twitter-autopilot - 安装完成后,直接呼叫该 Skill 的名称或使用
/twitter-autopilot触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.1
No feature/code changes. Documentation update only.
- Updated and/or expanded content in `references/content-strategy.md`.
v1.3.0
Version 1.3.0
- Added `references/content-strategy.md`, providing a comprehensive tweet writing playbook.
- Updated SKILL.md to reference the new content strategy guide, including details on X algorithm insights, hook formulas, thread templates, and growth tactics.
- Clarified strategy section and improved guidance on tweet writing and content planning.
v1.2.0
twitter-autopilot 1.2.0
- Updated `scripts/tweet.py` (details not specified—refer to the file for specific changes).
- No changes to documentation or workflow instructions.
- Existing features, commands, and usage remain the same.
v1.1.0
- Added a new "Requirements & Scope" section detailing required environment variables, file dependencies, and operational scope.
- Expanded documentation on file usage, including draft, log, and queue files.
- Updated draft workflow and best practices with additional operational tips and recommendations.
- Provided new best practices and practical lessons, including duplicate checks and improved logging instructions.
v1.0.0
Initial release: post, thread, reply, quote, retweet, follow, unfollow, mentions, draft workflow, strategy templates
元数据
常见问题
Twitter Autopilot 是什么?
Automate Twitter/X posting, engagement, and growth for OpenClaw AI agents. Use when setting up an agent's Twitter presence, posting tweets, running engagemen... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 668 次。
如何安装 Twitter Autopilot?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install twitter-autopilot」即可一键安装,无需额外配置。
Twitter Autopilot 是免费的吗?
是的,Twitter Autopilot 完全免费(开源免费),可自由下载、安装和使用。
Twitter Autopilot 支持哪些平台?
Twitter Autopilot 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Twitter Autopilot?
由 persnola1-sketch(@persnola1-sketch)开发并维护,当前版本 v1.3.1。
推荐 Skills