← 返回 Skills 市场
3651
总下载
5
收藏
17
当前安装
1
版本数
在 OpenClaw 中安装
/install twitter-post
功能描述
Post tweets to Twitter/X via the official API v2 (OAuth 1.0a). Use when the user asks to tweet, post to Twitter/X, send a thread, reply to a tweet, or quote...
安全使用建议
This skill's code implements posting to Twitter/X and legitimately needs four OAuth credentials (consumer key/secret and access token/secret). However, the registry metadata incorrectly shows no required credentials — treat that as a red flag. Before installing: (1) verify you obtained the credentials from developer.x.com and understand where you'll store them; prefer per-skill secret storage rather than plain shell profiles; (2) create a dedicated Twitter app / tokens with least privilege (Read+Write only for this app) and use tokens you can revoke/rotate; (3) inspect scripts/tweet.js (it posts only to api.twitter.com and supports an optional HTTPS_PROXY) and run with TWITTER_DRY_RUN=1 first to check behavior; (4) confirm OpenClaw's secret storage protections (who/what can read instance config) because storing OAuth tokens in instance config can expose them to other skills or admins; (5) ask the publisher to correct the registry metadata to declare the required env vars/primary credential and provide a homepage or source provenance. If you cannot verify provenance or the secret-storage protections, treat installation as higher risk and consider alternatives (official integrations or verified plugins).
功能分析
Type: OpenClaw Skill
Name: twitter-post
Version: 1.0.0
The skill bundle is benign. It provides a legitimate function to post tweets to Twitter/X via the official API v2. Credentials are handled securely via environment variables, and the `SKILL.md` explicitly warns against hardcoding them. The `tweet.js` script correctly implements OAuth 1.0a, handles tweet content validation, and directs all network traffic to `api.twitter.com`. There is no evidence of data exfiltration, unauthorized command execution, persistence mechanisms, or malicious prompt injection instructions against the agent.
能力评估
Purpose & Capability
The name/description, SKILL.md, and scripts/tweet.js all align: the code posts tweets via Twitter API v2 using OAuth 1.0a. However, the registry metadata lists no required environment variables or primary credential, while both SKILL.md and scripts/tweet.js require four sensitive OAuth env vars (TWITTER_CONSUMER_KEY, TWITTER_CONSUMER_SECRET, TWITTER_ACCESS_TOKEN, TWITTER_ACCESS_TOKEN_SECRET). This mismatch between declared requirements and actual required credentials is incoherent and should be resolved.
Instruction Scope
SKILL.md instructs the agent to execute scripts/tweet.js via exec and to rely on the four OAuth env vars; those instructions are within the stated purpose (posting tweets). But the instructions access environment variables that are not declared in the registry metadata (see above). SKILL.md also suggests storing credentials in the OpenClaw instance config or shell profile — guidance that has security implications but stays within tweeting scope. There are no instructions to read unrelated files or exfiltrate data to unexpected endpoints.
Install Mechanism
There is no install spec that downloads remote code; the skill bundles a local script (scripts/tweet.js). No external downloads, package installs, or extract steps are present. This is a low-risk install mechanism in that nothing arbitrary is fetched at install-time.
Credentials
The four OAuth env vars required by the script are appropriate for a Twitter posting skill, but the registry metadata does not declare them (no primaryEnv and 'Required env vars: none'). Requesting four sensitive secrets is proportionate to the function itself, but the omission in the declared requirements is a notable governance/visibility problem: users may not realize the skill needs OAuth tokens and may store them in places that broaden exposure. The script also recognizes HTTPS_PROXY and TWITTER_DRY_RUN, which are reasonable optional env vars.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not modify other skills or system-wide settings and does not ask to persist credentials itself beyond recommending storing env vars in instance config or shell profiles (which is normal but has security implications).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install twitter-post - 安装完成后,直接呼叫该 Skill 的名称或使用
/twitter-post触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: OAuth 1.0a tweet posting with thread, reply, quote support
元数据
常见问题
Twitter Post 是什么?
Post tweets to Twitter/X via the official API v2 (OAuth 1.0a). Use when the user asks to tweet, post to Twitter/X, send a thread, reply to a tweet, or quote... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 3651 次。
如何安装 Twitter Post?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install twitter-post」即可一键安装,无需额外配置。
Twitter Post 是免费的吗?
是的,Twitter Post 完全免费(开源免费),可自由下载、安装和使用。
Twitter Post 支持哪些平台?
Twitter Post 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Twitter Post?
由 pt(@sit-in)开发并维护,当前版本 v1.0.0。
推荐 Skills