𝕏 X-CLI Toolkit — X/Twitter全能工具
v1.0.0无需API密钥,仅凭cookie与proxy即可在终端完成X/Twitter的读取、搜索、发帖、互动、私信、列表、投票与热门话题等全部操作。
2· 710·1 当前·1 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceThe skill is generally coherent for providing cookie-based X/Twitter access, but it encourages the agent (or user) to provide credentials/cookies and would store session cookies in the skill directory — a risky practice that could lead to credential exposure or accidental exfiltration.
评估建议
This skill appears to do what it says, but exercise caution before installing or using it with your real X account. Key points:
- The tool authenticates with either a cookies.json file or username/password stored in config.json. Do NOT paste your account password into a chat with an agent unless you fully trust that agent and environment.
- cookies.json contains session tokens that function like passwords; if created, they live in the skill directory and could be read by other processes/users on...详细分析 ▾
ℹ 用途与能力
Name/description match the implementation: the scripts use twikit to interact with X via cookie-based auth and provide reading, search, posting, DMs, lists, media upload, etc. No unrelated credentials or binaries are requested. Requiring a cookies.json or username/password in config.json is consistent with the stated 'cookie auth, no API keys' model.
⚠ 指令范围
SKILL.md and README instruct the agent to clone, install, configure, and authenticate automatically and explicitly suggest giving username/password to the agent. The code reads/writes config.json and cookies.json in the skill folder and directs the agent to run arbitrary scripts via exec — this expands the agent's access to user credentials and to site content (media fetched via web_fetch). While functional for the stated purpose, the runtime instructions grant the agent broad discretion to obtain and store sensitive credentials and session cookies.
✓ 安装机制
No arbitrary remote downloads or custom installers are used. The only external package referenced is twikit via pip (requirements.txt). The skill is distributed as code files (no install spec), which will be executed by the agent — expected but means code runs locally on the agent.
⚠ 凭证需求
The skill does not request platform env vars but expects sensitive secrets in config.json (x_password/x_username or cookies.json). The README explicitly suggests telling the agent your username/password which risks exposing credentials in chat or in files under the agent's skill directory. Storing cookies.json in the skill directory creates persistent session material that other processes or skills could potentially access if the host environment is shared.
ℹ 持久化与权限
always:false (good). The skill writes cookies and config files into its own directory (normal), and the README suggests installing as a global skill. It does not request to modify other skills or system configs. The combination of agent-run exec plus instructions to auto-install/authenticate increases blast radius if credentials are provided.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/20
Initial release: - 40+ commands across 7 scripts (read, search, post, interact, dm, extra, auth). - No API keys needed (cookie auth). - Fully compatible with OpenClaw agents. - Media vision & contextual replies supported.
● 可疑
安装命令
点击复制官方npx clawhub@latest install x-cli
镜像加速npx clawhub@latest install x-cli --registry https://cn.longxiaskill.com