X Bookmark Triage

Automatically triages X/Twitter bookmarks into structured knowledge cards and posts them to a Discord channel (#knowledge-intake or similar). Captures tweet...

What to check before installing or running this skill: - Metadata mismatch: The registry listing claims no required env vars, but the code requires X OAuth credentials, a Discord bot token, and an Anthropic API key. Do not rely on the registry metadata; follow SKILL.md and inspect scripts before running. - Secrets exposure: The scripts will read/write token files under a workspace data/ directory, and they will fall back to a secrets JSON in parent directories and (via run-poll.sh) may read an OpenClaw gateway plist using PlistBuddy. Only run this under an account where those fallback paths are safe and won’t expose other secrets. Prefer to run in an isolated workspace and set env vars directly rather than relying on auto-discovery. - Refresh-token handling: X rotates refresh tokens. The code writes new refresh tokens to data/x-oauth2-new-refresh-token.txt and asks you to manually update your environment/plist. Consider using a proper secrets manager to automate write-back if you want that behavior; otherwise rotating tokens may break background runs. - Least privilege: If you do not want bookmarks automatically deleted, avoid granting bookmark.write scope (or run with --no-unbookmark / remove delete calls). Review bookmark-unbookmark calls before providing write scope. - Review prompts & network calls: The skill sends tweet/web content to an external LLM (Anthropic) and uses third-party proxies (fxtwitter, markdown.new). If you have privacy concerns about sending content to those endpoints, do not enable the triage or remove/modify the network calls. - File permissions & logs: Files written by the skill (token cache, new-refresh-token file, seen.json) should be protected (scripts set 0o600 for token file). Confirm logs and data files are stored where you control access. - Run a dry test first: Use --dry-run and limited --limit to test behaviour, run setup-check.js, and inspect the written data files. Consider running the code locally (manual triage of a single URL) before scheduling cron/launchd/OpenClaw tasks. If you want help reviewing specific files (e.g., the gateway plist you plan to point to, or the secrets file path), provide them and I can highlight exact lines that read or write secrets.

Type: OpenClaw Skill Name: x-bookmark-triage Version: 1.0.0 The skill bundle is a well-documented and functional utility for triaging X/Twitter bookmarks into Discord knowledge cards using Claude Haiku. It implements a standard OAuth 2.0 PKCE flow for X API access and uses a 'no-dependency' approach, relying on system 'curl' and Node.js built-ins rather than external NPM packages. While it utilizes third-party proxies like 'fxtwitter.com' and 'markdown.new' to extract content and handles sensitive API secrets, the code includes proper security practices such as token storage with restricted permissions (0o600), input encoding (encodeURIComponent), and safe sub-process execution (spawnSync with JSON-stringified payloads). The behavior is transparent and strictly aligned with the stated purpose.