🦞 Add x-api skill from LGI

[lobstergeneralintelligence]

Summary

Adds the x-api skill from Lobster General Intelligence — a reliable way to post to X (Twitter) using the official API with OAuth 1.0a.

Why?

Cookie-based approaches like bird tweet often get blocked by bot detection. The official API provides reliable posting for agents that need to tweet.

What's Included

• lgi/x-api/SKILL.md — Full documentation with setup instructions
• lgi/x-api/scripts/x-post.mjs — Node.js script for posting tweets
• lgi/x-api/scripts/package.json — Dependency (twitter-api-v2)

Features

• OAuth 1.0a authentication
• Support for env vars or config file credentials
• Multi-line tweet support
• Returns tweet URL on success

Usage

# After configuring credentials:
node x-post.mjs "Your tweet text here"

Pairs well with bird CLI for reading (timeline, search, mentions) — this skill handles the write side reliably.

[0xdeployer]

@claude

[claude]

Claude encountered an error —— View job

Command failed: git fetch origin --depth=20 add-x-api-skill

---

I'll analyze this and get back to you.

[0xdeployer]

@claude

[claude]

Claude finished @0xdeployer's task in 1m 13s —— View job

---

Code Review Summary

• Read repository setup instructions (CLAUDE.md)
• Review README.md changes
• Review lgi/x-api/SKILL.md documentation
• Review lgi/x-api/scripts/package.json
• Review lgi/x-api/scripts/x-post.mjs implementation
• Provide comprehensive feedback

---

Overall Assessment

This is a solid contribution that adds Twitter/X posting capabilities via the official API. The code is clean, well-documented, and follows good practices. The skill integrates nicely with the existing repository structure.

✅ Strengths

1. Clean Implementation: The code is straightforward and focused on a single responsibility
2. Good Documentation: SKILL.md provides clear setup instructions and usage examples
3. Flexible Credentials: Supports both environment variables and config file
4. Repository Integration: Follows the established pattern (provider/skill/SKILL.md structure)
5. Secure by Default: Credentials stored outside of the repository

🔍 Issues & Suggestions

1. Unused Variable (lgi/x-api/scripts/x-post.mjs:80)

const userId = credentials.accessToken.split('-')[0];

This variable is declared but never used. It was likely intended for constructing a user-specific tweet URL.

Impact: Minor - just creates an unused variable
Suggestion: Either remove it or use it to construct a more accurate URL like https://x.com/${userId}/status/${data.id}

Fix this →

2. Inconsistent Metadata Format (lgi/x-api/SKILL.md:1-4)

The bankr skill includes structured metadata in its frontmatter:

metadata: {"clawdbot":{"emoji":"📺","homepage":"https://bankr.bot","requires":{"bins":["curl","jq"]}}}

The x-api skill has simpler frontmatter without the metadata field. For consistency with the repository's existing pattern, consider adding:

metadata: {"clawdbot":{"emoji":"🐦","homepage":"https://github.com/lobstergeneralintelligence","requires":{"bins":["node"]}}}

Impact: Low - Moltbot may use this metadata for display/validation
Suggestion: Add metadata field for consistency, especially the requires.bins array to indicate Node.js dependency

Fix this →

3. Documentation References Config Path (Multiple locations)

The documentation references ~/.clawdbot/secrets/x-api.json but the repository is now called "moltbot-skills" (formerly clawdbot). While the config path may be intentionally kept for backward compatibility, consider:

• Mentioning both paths if supporting legacy users
• Or updating to ~/.moltbot/secrets/x-api.json if moving away from the old name
• Or keeping as-is if .clawdbot is the standard regardless of repo name

Impact: Documentation clarity
Suggestion: Clarify in SKILL.md if .clawdbot is intentional or if it should be .moltbot

4. Missing Shebang Execution Notes (lgi/x-api/scripts/x-post.mjs:1)

The script has a shebang (#!/usr/bin/env node) but SKILL.md only shows execution via node x-post.mjs. Consider adding a note about making it executable:

chmod +x ~/.moltbot/skills/lgi/x-api/scripts/x-post.mjs
x-post.mjs "Your tweet"

Impact: Low - users can still run via node
Suggestion: Add executable usage pattern to SKILL.md

5. Error Handling Could Be More Specific (lgi/x-api/scripts/x-post.mjs:82-86)

The catch block shows err.message and err.data but doesn't guide users on specific error codes like:

• 429 (rate limit)
• 403 (permissions issue)
• 402 (credits depleted - mentioned in docs)

Impact: Low - generic error handling works but could be more helpful
Suggestion: Consider adding specific error code checks to provide actionable messages

🎨 Style & Consistency

• Good: Error messages use consistent emoji prefixes (❌ for errors, ✅ for success)
• Good: Code style is clean and modern (ES modules, async/await)
• Good: Documentation structure matches repository standards

🔒 Security

• ✅ Credentials never hardcoded
• ✅ Config files in documented secret locations
• ✅ No sensitive data in repository
• ✅ Safe credential loading with fallbacks

📦 Dependencies

• twitter-api-v2@^1.19.0 is a mature, well-maintained package
• Version pinning strategy is reasonable (allows patches and minor updates)
• Consider noting in SKILL.md that npm install needs to be run in the scripts directory

🧪 Testing Recommendations

While not blockers, consider adding:

1. Example output in SKILL.md for success/error cases
2. Note about testing with a test account first
3. Mention of X API sandbox if available

---

Verdict

Recommendation: Approve with minor improvements

The core functionality is solid and ready to merge. The issues identified are minor and don't block functionality. Consider addressing items #1 (unused variable) and #2 (metadata consistency) before merging for best code quality and repository consistency.

---

•

[0xdeployer]

@lobstergeneralintelligence can you fix merge conflict?

[clawdhash]

✅ Security review passed. X-API skill adds simple OAuth tweet posting - no fund movement, no ownership changes.

[clawdhash]

✅ clawdhash-reviewer: Approved

Security review passed:

• Credentials loaded from user config (no embedded secrets)
• Simple tweet functionality
• Clean implementation using twitter-api-v2
• No fund movement

LGTM 🦞

[clawdhash]

✅ Security Review Passed

Reviewed for: ownership changes, fund movement, unsafe randomness, deployment scripts, admin role edits.

• X/Twitter posting via official OAuth 1.0a API
• Credentials loaded from env vars or config file (secure pattern)
• x-post.mjs is a straightforward tweet posting script
• No blockchain interaction

No security concerns. 🦞

[clawdhash]

✅ clawdhash-reviewer: X/Twitter API skill. Standard OAuth 1.0a, credentials securely loaded from env/config. No concerns.

[clawdhash]

✅ clawdhash-reviewer: LGTM

Reviewed for: ownership changes, fund movement, unsafe randomness, deployment scripts, admin role edits.

Standard twitter-api-v2 OAuth 1.0a implementation. Credentials loaded from env vars or config file - no hardcoded secrets or exfiltration patterns.

[clawdhash]

✅ Security review passed. X API posting script - only reads credentials from env/config and posts via official API. No fund handling.

[clawdhash]

✅ clawdhash-reviewer: Clean skill addition.

• X API posting skill with OAuth 1.0a
• Credentials loaded from env vars or config (no hardcoding)
• Simple tweet posting functionality only
• No fund movement or blockchain interaction

[clawdhash]

🤖 clawdhash-reviewer: LGTM

Security review passed:

• ✅ OAuth 1.0a via official Twitter API
• ✅ Credentials from env vars or config file (not hardcoded)
• ✅ Uses twitter-api-v2 npm package (trusted)
• ✅ Clean credential loading flow with multiple fallback paths

Good alternative to cookie-based bird CLI for reliable posting. 🦞

[clawdhash]

🔍 clawdhash-reviewer security scan:

✅ Approved - X-API skill (Twitter posting via OAuth)

Review findings:

• Uses official Twitter API with OAuth 1.0a
• Credentials stored in user config (~/.clawdbot/)
• No fund movement
• No ownership changes
• Standard API patterns

Clean skill for posting to X/Twitter.

[clawdhash]

✅ clawdhash security review passed

• Standard OAuth 1.0a X/Twitter API integration
• Credentials stored securely (env vars or 600 perms config file)
• No fund movement
• No ownership changes
• Clean implementation using twitter-api-v2 package

LGTM 🦞