Publish tweets to X (Twitter) using the official Tweepy library. Supports text-only tweets, tweets with images or videos, and returns detailed publish result...
Security Analysis
medium confidenceThe skill implements tweeting via Tweepy and legitimately needs X API credentials, but the registry metadata claims no required environment variables and the bundle contains a code file (partially truncated in the package) — this mismatch and incomplete file raise concerns before installing or trusting credentials.
The code and SKILL.md both implement the advertised functionality (posting text/media via Tweepy). However the registry metadata lists no required environment variables or primary credential even though both SKILL.md and the script require X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET (and optionally X_BEARER_TOKEN). The omission in metadata is an inconsistency that should be clarified.
Runtime instructions only cover installing tweepy, setting X-related env vars, verifying credentials, uploading local media files, and publishing tweets. The script reads only those env vars and local media paths; it does not reference unrelated system files or external endpoints beyond the official X/Twitter API. Example usage includes subprocess invocation in docs (for integrators), which is expected for CLI tooling.
There is no automated install spec in the registry; SKILL.md instructs the user to run pip3 install tweepy --user. That is a normal, low-risk instruction. No remote archives, obscure URLs, or extracted binaries are used by the packaged files.
The skill legitimately requires sensitive credentials (API Key/Secret and Access Token/Secret). Requesting these is proportionate to posting tweets. However the registry omits declaring these required env vars and primary credential, which is an important metadata mismatch: users may not realize they must provide secrets. Additionally the package bundle is partially truncated in the provided file listing (the script ends with '…[truncated]'), so it's unclear whether the full code contains additional env var usage or unexpected behavior.
Skill flags are standard (always:false, user-invocable:true, model invocation allowed). The skill does not request persistent system-level privileges or config paths, nor does it attempt to modify other skills. It operates as a CLI tool using local files and env vars.
Guidance
This skill appears to do what it says (post tweets via Tweepy) and needs your X/Twitter API keys — that is expected — but the registry metadata failing to list those secrets is a red flag. Before installing or supplying credentials: (1) inspect the full x_publisher.py file (the provided bundle appears truncated) to ensure there are no hidden network endpoints or secret exfiltration paths; (2) only install Tweepy from the official PyPI package; (3) create and use an app credential pair with the minimum required permissions and consider using a throwaway/test account for initial testing; (4) avoid pasting API secrets into chat or web forms and prefer environment variables or a secure secret store; (5) if you plan to run this in production, run it in an isolated environment (container/VM) and verify the complete source from a trusted source or request corrected registry metadata that declares required env vars.
Latest Release
v1.0.5
- Initial release of X-Publisher for publishing tweets to X (Twitter) using the official Tweepy library - Supports text-only tweets, tweets with images (JPG, PNG, GIF, WebP), and videos (MP4, MOV, AVI, WebM) - Returns detailed publish results including tweet ID, URL, content preview, and timestamp - Includes authentication verification and detailed error messages for common issues - Command-line usage documentation and media limitations provided in both Chinese and English
More by @AlphaFactor
Published by @AlphaFactor on ClawHub
