Post to X (Twitter) using the official API with OAuth 1.0a. Use when you need to tweet, post updates, or publish content. Bypasses rate limits and bot detection that affect cookie-based approaches like bird CLI.
Security Analysis
high confidenceThe skill does what it says — posts to X using OAuth 1.0a — but the registry metadata omits the required credentials and a few small inconsistencies should be noted before installing.
The skill's name, README, SKILL.md, and script all align: it posts to X via the official API and requires OAuth 1.0a credentials. However the registry metadata claims no required env vars/primary credential while the runtime clearly requires four credentials (consumer key/secret and access token/secret). This mismatch is an incoherence in the metadata, not the implementation.
Runtime instructions and the script are narrowly scoped to posting tweets. The script only reads credentials (from env vars or the stated config paths) and calls the official API via the twitter-api-v2 library. It does not attempt to read unrelated system files or contact unexpected endpoints.
There is no bundled install spec (instruction-only skill) and the project depends on the npm package twitter-api-v2 declared in package.json. The SKILL.md recommends running npm install (or -g). This is a standard, moderate-risk dependency install; verify the package/version via npm and consider running npm audit before installing globally.
The runtime requires four sensitive credentials (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_SECRET) and accepts a config file at ~/.clawdbot/secrets/x-api.json or ./.x-api.json. Those requirements are proportionate to posting on X, but the registry metadata incorrectly lists no required env vars/credentials. Also note the fallback to a .x-api.json in the current working directory — storing secrets there could be riskier than a secure home config file.
The skill does not request persistent, elevated, or always-on privileges (always: false). It does not modify other skills or system-wide settings. It just provides a CLI script invoked by the user or the agent.
Guidance
This skill's code matches its description: it posts tweets using OAuth 1.0a and requires four X credentials. Before installing: (1) be aware the registry metadata omitted the required credentials — the SKILL.md/script expect X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_SECRET or a config file; (2) store credentials securely (prefer a single-purpose file in your home directory with restricted permissions rather than ./.x-api.json); (3) review and verify the npm dependency (twitter-api-v2) and run npm audit or install in an isolated environment if you have concerns; (4) the README claim that this “bypasses rate limits and bot detection” is marketing — expect standard API limits/requirements and billing from X; (5) confirm you trust the skill owner (no homepage provided) and inspect the script yourself — it does not exfiltrate secrets or call unexpected hosts. If any of these checks fail or you are uncomfortable storing OAuth tokens, do not install the skill.
Latest Release
v0.1.0
- Initial release of x-api: post tweets to X (Twitter) using the official API with OAuth 1.0a. - Bypasses rate limits and bot detection—more reliable than cookie-based CLI tools. - Clear setup instructions for obtaining and configuring API credentials. - Supports multi-line tweet posts and returns the tweet URL on success. - Specifies API usage limits, troubleshooting steps, and distinguishes use cases vs. the bird CLI for reading.
Popular Skills
Published by @lobstergeneralintelligence on ClawHub
