📦 Twitter Watch Reply — 监控推文并AI回
v0.1.2基于 6551 Twitter/X API 监控指定账号的新推文,自动生成 AI 回复草稿;半自动模式下先展示候选回复,经用户确认后通过已登录浏览器自动发布,避免重复回复并管理 watchlist 与状态文件。
0· 376·0 当前·0 累计
by @yugulugulu下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill largely does what it claims (poll a 3rd‑party 6551 API for tweets, generate reply candidates, and manage a local state directory), but the package metadata failing to declare the required TWITTER_TOKEN is a red flag — it reduces transparency about what secrets the skill needs. Before installing: (1) inspect the included scripts (doctor.py, fetch_latest_tweets.py) and confirm you are comfortable giving TWITTER_TOKEN to the 6551 service (ai.6551.io); (2) run doctor.py in a safe/test env...详细分析 ▾
⚠ 用途与能力
The skill's description, SKILL.md, and Python scripts consistently implement a semi‑automatic Twitter/X watch-and-reply flow using a 6551 API token (TWITTER_TOKEN). However, the registry metadata lists no required environment variables or primary credential; that omission is inconsistent with the skill's stated need for TWITTER_TOKEN and is a packaging/metadata mismatch that reduces transparency.
⚠ 指令范围
Runtime instructions restrict actions to polling a third‑party API (ai.6551.io), writing state/config under the workspace data directory, rendering alerts, and relying on a locally logged‑in browser for sending replies. Those actions are within the stated purpose, but the SKILL.md and scripts read TWITTER_TOKEN (not declared in metadata) and make network POSTs to ai.6551.io — any external network calls and token use should be explicit in the package metadata so users understand the blast radius.
✓ 安装机制
No install spec or remote downloads; the skill is instruction-only plus plain Python scripts included in the package. No installers, archived downloads, or untrusted URLs are used — low install risk from this package itself.
⚠ 凭证需求
Functionally the skill only needs a single token (TWITTER_TOKEN) and filesystem write access to its data directory, which is proportionate. The concern is that the token requirement is not declared in the registry metadata; also the token is for a third‑party service (6551/ai.6551.io) — users should verify what permissions that token grants and whether they trust the external service before providing credentials.
✓ 持久化与权限
The skill does not request elevated platform privileges, is not marked always:true, and only writes to its own workspace/data paths (config.json, state.json, logs). It does not modify other skills or global agent settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.22026/3/9
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install twitter-watch-reply
镜像加速npx clawhub@latest install twitter-watch-reply --registry https://cn.longxiaskill.com镜像同步中