npm - @xquik/tweetclaw - Versions diffs - 1.4.1 → 1.5.0 - Mend

@xquik/tweetclaw 1.4.1 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md CHANGED Viewed

@@ -74,10 +74,10 @@ Top up credits from the Xquik dashboard or via `POST /credits/topup`. All 120 en
 ```bash
 npm i mppx viem
-openclaw config set plugins.entries.tweetclaw.config.tempoPrivateKey '0xYOUR_TEMPO_KEY'
+openclaw config set plugins.entries.tweetclaw.config.tempoSigningKey '0xYOUR_TEMPO_ACCOUNT_KEY'
 ```
-MPP (Machine Payments Protocol) lets agents pay per API call via Tempo (USDC). No account, no API key, no subscription. 16 read-only endpoints. Get a Tempo wallet at [tempo.xyz](https://tempo.xyz).
+MPP (Machine Payments Protocol) lets agents pay per API call via Tempo (USDC). No account, no API key, no subscription. 16 read-only endpoints. Create a Tempo account with `mppx account create` or at [tempo.xyz](https://tempo.xyz). The key stays local and is only used to sign payment proofs.
 MPP-eligible endpoints: tweet lookup ($0.00015), tweet search ($0.00015/tweet), user lookup ($0.00015), user tweets ($0.00015/tweet), follower check ($0.00105), article lookup ($0.00105), media download ($0.00015/media), trends ($0.00045), X trends ($0.00045), quotes ($0.00015/tweet), replies ($0.00015/tweet), retweeters ($0.00015/user), favoriters ($0.00015/user), thread ($0.00015/tweet), user likes ($0.00015/tweet), user media ($0.00015/tweet).

package/openclaw.plugin.json CHANGED Viewed

@@ -1,26 +1,26 @@
 {
   "id": "tweetclaw",
   "name": "TweetClaw",
-  "version": "1.4.0",
-  "description": "Post tweets, reply, like, retweet, follow, DM from your chat - full X/Twitter automation powered by Xquik. 120 endpoints, reads from $0.00015/call.",
+  "version": "1.4.1",
+  "description": "Post tweets, reply, like, retweet, follow, DM from your chat - full X/Twitter automation powered by Xquik. 120 endpoints, reads from $0.00015/call. Requires an Xquik API key or Tempo signing key.",
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
     "properties": {
       "apiKey": { "type": "string", "minLength": 1, "description": "Xquik API key (get one at dashboard.xquik.com). Required for full access to all 120 endpoints." },
-      "tempoPrivateKey": { "type": "string", "minLength": 1, "description": "Tempo wallet private key for MPP pay-per-use mode. No account needed. 16 read-only X-API endpoints." },
+      "tempoSigningKey": { "type": "string", "minLength": 1, "description": "Tempo signing key for MPP pay-per-use mode. No account needed. 16 read-only X-API endpoints." },
       "baseUrl": { "type": "string", "default": "https://xquik.com" },
       "pollingInterval": { "type": "number", "default": 60, "description": "Event polling interval in seconds" },
       "pollingEnabled": { "type": "boolean", "default": true }
     },
     "anyOf": [
       { "required": ["apiKey"] },
-      { "required": ["tempoPrivateKey"] }
+      { "required": ["tempoSigningKey"] }
     ]
   },
   "uiHints": {
     "apiKey": { "label": "Xquik API Key", "sensitive": true, "placeholder": "xq_...", "help": "Full access to all 120 endpoints. Generate at dashboard.xquik.com." },
-    "tempoPrivateKey": { "label": "Tempo Private Key (MPP)", "sensitive": true, "placeholder": "0x...", "help": "Pay-per-use mode via Machine Payments Protocol. No account needed. 16 read-only X-API endpoints only. Requires mppx and viem packages." },
+    "tempoSigningKey": { "label": "Tempo Signing Key (MPP)", "sensitive": true, "placeholder": "0x...", "help": "Pay-per-use mode via Machine Payments Protocol. No account needed. 16 read-only X-API endpoints only. Requires mppx and viem packages." },
     "baseUrl": { "label": "API Base URL", "placeholder": "https://xquik.com", "advanced": true, "help": "Only change if using a self-hosted Xquik instance." },
     "pollingInterval": { "label": "Event Poll Interval (seconds)", "advanced": true, "help": "How often to check for new monitor events. Default: 60 seconds." },
     "pollingEnabled": { "label": "Enable Event Notifications", "advanced": true, "help": "Deliver monitor alerts and extraction completions to your chat." }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@xquik/tweetclaw",
-  "version": "1.4.1",
+  "version": "1.5.0",
   "description": "Post tweets, reply, like, retweet, follow, DM & more from OpenClaw - full X/Twitter automation via Xquik. 120 endpoints, reads from $0.00015/call.",
   "license": "MIT",
   "type": "module",
@@ -18,7 +18,15 @@
   "openclaw": {
     "extensions": [
       "./src/index.ts"
-    ]
+    ],
+    "compat": {
+      "pluginApi": ">=2026.3.28",
+      "minGatewayVersion": "2026.3.28"
+    },
+    "build": {
+      "openclawVersion": "2026.3.28",
+      "pluginSdkVersion": "2026.3.28"
+    }
   },
   "files": [
     "src/",

package/skills/tweetclaw/SKILL.md CHANGED Viewed

@@ -102,10 +102,10 @@ Get a key at [dashboard.xquik.com](https://dashboard.xquik.com/).
 ```bash
 npm i mppx viem
-openclaw config set plugins.entries.tweetclaw.config.tempoPrivateKey '0xYOUR_KEY'
+openclaw config set plugins.entries.tweetclaw.config.tempoSigningKey '0xYOUR_SIGNING_KEY'
 ```
-MPP gives agents access to 16 read-only X-API endpoints without any account or subscription. The mppx SDK handles HTTP 402 payment challenges automatically.
+MPP gives agents access to 16 read-only X-API endpoints without any account or subscription. The mppx SDK handles HTTP 402 payment challenges automatically. The signing key stays local and is only used to sign payment proofs.
 ## Tools

package/src/index.ts CHANGED Viewed

@@ -18,7 +18,7 @@ function isPollerEvent(value: unknown): value is PollerEvent {
 function isPluginConfig(value: unknown): value is PluginConfig {
   if (typeof value !== 'object' || value === null) return false;
-  return 'apiKey' in value || 'tempoPrivateKey' in value;
+  return 'apiKey' in value || 'tempoSigningKey' in value;
 }
 const DEFAULT_POLLING_INTERVAL_SECONDS = 60;
@@ -76,25 +76,25 @@ export default function register(api: OpenClawApi, fetchFunction?: FetchFunction
   const config: unknown = api.pluginConfig;
   if (!isPluginConfig(config)) {
     api.logger.warn(
-      "TweetClaw: No API key or Tempo wallet configured. Run: openclaw config set plugins.entries.tweetclaw.config.apiKey 'xq_YOUR_KEY' or set tempoPrivateKey for MPP pay-per-use",
+      "TweetClaw: No API key or Tempo signing key configured. Run: openclaw config set plugins.entries.tweetclaw.config.apiKey 'xq_YOUR_KEY' or set tempoSigningKey for MPP pay-per-use",
     );
     return;
   }
-  const { apiKey, baseUrl = 'https://xquik.com', tempoPrivateKey } = config;
-  const isMppMode = apiKey === undefined && tempoPrivateKey !== undefined;
+  const { apiKey, baseUrl = 'https://xquik.com', tempoSigningKey } = config;
+  const isMppMode = apiKey === undefined && tempoSigningKey !== undefined;
   const credential = apiKey ?? '';
   if (isMppMode) {
     void (async (): Promise<void> => {
       try {
-        await initMpp(tempoPrivateKey);
-        api.logger.info('TweetClaw: MPP initialized - Tempo wallet ready');
+        await initMpp(tempoSigningKey);
+        api.logger.info('TweetClaw: MPP initialized - Tempo account ready');
       } catch (error: unknown) {
         api.logger.error(`TweetClaw: MPP init failed - ${error instanceof Error ? error.message : String(error)}`);
       }
     })();
-    api.logger.info('TweetClaw: MPP mode - pay-per-use via Tempo (16 X-API endpoints, no subscription needed)');
+    api.logger.info('TweetClaw: MPP mode - pay-per-use via Tempo account (16 X-API endpoints, no subscription needed)');
   }
   const request = createProxiedRequest(baseUrl, credential, fetchFunction);

package/src/mpp.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { resolveAsyncFunctionConstructor } from './tools/sandbox.js';
+import { resolveAsyncFunctionConstructor } from './tools/executor.js';
 type ModuleLoader = (name: string) => Promise<Record<string, unknown>>;
@@ -22,7 +22,7 @@ function createModuleLoader(): ModuleLoader {
   };
 }
-async function initMpp(tempoPrivateKey: string, loadModule?: ModuleLoader): Promise<void> {
+async function initMpp(tempoSigningKey: string, loadModule?: ModuleLoader): Promise<void> {
   const load = loadModule ?? createModuleLoader();
   const mppxMod = await load('mppx/client').catch((): never => {
     throw new Error('MPP requires mppx package. Run: npm i mppx viem');
@@ -35,7 +35,7 @@ async function initMpp(tempoPrivateKey: string, loadModule?: ModuleLoader): Prom
   if (!isRecord(mppxMod.Mppx)) throw new Error('mppx missing Mppx');
   const createMethod: unknown = mppxMod.Mppx.create;
   if (!isCallable(createMethod)) throw new Error('mppx Mppx.create is not a function');
-  const account: unknown = viemMod.privateKeyToAccount(tempoPrivateKey);
+  const account: unknown = viemMod.privateKeyToAccount(tempoSigningKey);
   const method: unknown = mppxMod.tempo({ account });
   createMethod({ methods: [method] });
 }

package/src/tools/executor.ts ADDED Viewed

@@ -0,0 +1,125 @@
+import vm from 'node:vm';
+import { API_SPEC } from '../api-spec.js';
+import { truncateResponse } from '../truncate.js';
+import type { ToolResult } from '../types.js';
+const specEndpoints: ReadonlyArray<Readonly<Record<string, unknown>>> = API_SPEC.map(
+  (endpoint): Readonly<Record<string, unknown>> => ({ ...endpoint }),
+);
+function extractErrorMessage(error: unknown): string {
+  if (error instanceof Error) {
+    return `${error.constructor.name}: ${error.message}`;
+  }
+  return String(error);
+}
+function isAsyncFunctionConstructor(
+  value: unknown,
+): value is new (...parameters: readonly string[]) => (...parameters: readonly unknown[]) => Promise<unknown> {
+  return typeof value === 'function';
+}
+function getConstructorFromPrototype(proto: unknown): unknown {
+  if (typeof proto !== 'object' || proto === null) {
+    return undefined;
+  }
+  return 'constructor' in proto ? proto.constructor : undefined;
+}
+function resolveAsyncFunctionConstructor(prototype?: unknown): new (
+  ...parameters: readonly string[]
+) => (...parameters: readonly unknown[]) => Promise<unknown> {
+  const asyncPrototype: unknown = prototype ?? Object.getPrototypeOf(async (): Promise<void> => {});
+  const candidate: unknown = getConstructorFromPrototype(asyncPrototype);
+  if (!isAsyncFunctionConstructor(candidate)) {
+    throw new Error('AsyncFunction constructor not found');
+  }
+  return candidate;
+}
+const BLOCKED_PROPS: ReadonlySet<string | symbol> = new Set(['constructor', '__proto__', 'prototype']);
+function isBlockedProperty(property: string | symbol): boolean {
+  return BLOCKED_PROPS.has(property);
+}
+function wrapValue(value: unknown): unknown {
+  if (value === null || value === undefined) return value;
+  if (typeof value !== 'object' && typeof value !== 'function') return value;
+  return createSafeProxy(value);
+}
+async function wrapAsync(promise: Promise<unknown>): Promise<unknown> {
+  const resolved: unknown = await promise;
+  return wrapValue(resolved);
+}
+function createCallableProxy(bound: (...a: readonly unknown[]) => unknown): unknown {
+  const handler: ProxyHandler<typeof bound> = {
+    apply(_target: typeof bound, _thisArgument: unknown, argumentsList: unknown[]): unknown {
+      const result: unknown = bound(...argumentsList);
+      if (result instanceof Promise) {
+        return wrapAsync(result);
+      }
+      return wrapValue(result);
+    },
+    get(_target: typeof bound, property: string | symbol): unknown {
+      if (isBlockedProperty(property)) return undefined;
+      return Reflect.get(_target, property);
+    },
+  };
+  return new Proxy(bound, handler);
+}
+function createSafeProxy(target: unknown): unknown {
+  if (target === null || target === undefined) return target;
+  if (typeof target !== 'object' && typeof target !== 'function') return target;
+  const handler: ProxyHandler<Record<string | symbol, unknown>> = {
+    get(t: Record<string | symbol, unknown>, property: string | symbol): unknown {
+      if (isBlockedProperty(property)) return undefined;
+      const value: unknown = Reflect.get(t, property);
+      if (typeof value === 'function') {
+        const bound: (...a: readonly unknown[]) => unknown = value.bind(t);
+        return createCallableProxy(bound);
+      }
+      return wrapValue(value);
+    },
+  };
+  return new Proxy(target as Record<string | symbol, unknown>, handler);
+}
+function runInSandbox(code: string, globals: Readonly<Record<string, unknown>>): unknown {
+  const rawContext: Record<string, unknown> = Object.create(null) as Record<string, unknown>;
+  for (const key of Object.keys(globals)) {
+    const value: unknown = globals[key];
+    const safeValue: unknown = typeof value === 'object' && value !== null
+      ? createSafeProxy(value)
+      : value;
+    Reflect.set(rawContext, key, safeValue);
+  }
+  const context: vm.Context = vm.createContext(rawContext);
+  return vm.runInNewContext(`(${code})()`, context);
+}
+function successResult(content: unknown): ToolResult {
+  return { content: [{ text: truncateResponse(content), type: 'text' as const }] };
+}
+function errorResult(error: unknown): ToolResult {
+  return { content: [{ text: extractErrorMessage(error), type: 'text' as const }], isError: true };
+}
+export {
+  BLOCKED_PROPS,
+  createSafeProxy,
+  errorResult,
+  extractErrorMessage,
+  getConstructorFromPrototype,
+  resolveAsyncFunctionConstructor,
+  runInSandbox,
+  specEndpoints,
+  successResult,
+  wrapValue,
+};

package/src/tools/explore.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { API_SPEC } from '../api-spec.js';
-import { AsyncFunction, errorResult, specEndpoints, successResult } from './sandbox.js';
+import { errorResult, runInSandbox, specEndpoints, successResult } from './executor.js';
 import type { EndpointInfo, ToolResult } from '../types.js';
 const categories = [...new Set(API_SPEC.map((endpoint) => endpoint.category))].toSorted((a, b) => a.localeCompare(b)).join(', ');
@@ -47,8 +47,7 @@ async () => {
 async function handleExplore(code: string): Promise<ToolResult> {
   try {
-    const executor = new AsyncFunction('spec', `return (${code})()`);
-    const result: unknown = await executor({ endpoints: specEndpoints });
+    const result: unknown = await runInSandbox(code, { spec: { endpoints: specEndpoints } });
     return successResult(result);
   } catch (error: unknown) {
     return errorResult(error);

package/src/tools/tweetclaw.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { createProxiedRequest } from '../request.js';
-import { AsyncFunction, errorResult, specEndpoints, successResult } from './sandbox.js';
+import { errorResult, runInSandbox, specEndpoints, successResult } from './executor.js';
 import type { FetchFunction, RequestFunction, ToolResult } from '../types.js';
 const EXECUTE_DESCRIPTION = `Execute X (Twitter) API calls: post tweets, reply, like, retweet, follow, DM, update profile, upload media, search tweets, look up users, extract data, run giveaways, monitor accounts, compose tweets, and more. Write an async arrow function.
@@ -302,7 +302,7 @@ async () => {
 - Subscription required: /api/v1/styles (X API refresh when cache >7 days), /api/v1/x/profile, /api/v1/x/communities, /api/v1/x/dm, /api/v1/extractions, /api/v1/draws, /api/v1/monitors, /api/v1/events, /api/v1/webhooks, /api/v1/styles/:username/performance, /api/v1/trending/:source
 - Write actions (subscription required): POST /api/v1/x/tweets, DELETE /api/v1/x/tweets/:id, POST|DELETE /api/v1/x/tweets/:id/like, POST /api/v1/x/tweets/:id/retweet, POST|DELETE /api/v1/x/users/:id/follow, POST /api/v1/x/dm/:userId, POST /api/v1/x/media, PATCH /api/v1/x/profile, PATCH /api/v1/x/profile/avatar, PATCH /api/v1/x/profile/banner, POST|DELETE /api/v1/x/communities, POST|DELETE /api/v1/x/communities/:id/join
 - IMPORTANT: Always attempt the request. Never assume subscription status. The API returns a clear error if subscription is missing.
-- MPP MODE: When configured with tempoPrivateKey (no API key), the mppx SDK auto-handles 402 challenges by paying via Tempo (USDC). Only the 16 MPP-eligible endpoints work in this mode.
+- MPP MODE: When configured with a Tempo signing key (no API key), the mppx SDK auto-handles 402 challenges by paying via Tempo (USDC). Only the 16 MPP-eligible endpoints work in this mode.
 ## Error handling
 - If response contains "subscription is inactive" or status 402, call POST /api/v1/subscribe to get checkout URL
@@ -325,10 +325,9 @@ async function handleTweetclaw(options: Readonly<TweetclawOptions>): Promise<Too
   const { apiKey, baseUrl, code, fetchFunction, timeoutMs = EXECUTION_TIMEOUT_MS } = options;
   try {
     const request: RequestFunction = createProxiedRequest(baseUrl, apiKey, fetchFunction);
-    const executor = new AsyncFunction('xquik', 'spec', `return (${code})()`);
     const result: unknown = await Promise.race([
-      executor({ request }, { endpoints: specEndpoints }),
+      runInSandbox(code, { xquik: { request }, spec: { endpoints: specEndpoints } }),
       new Promise<never>((_resolve, reject) => {
         setTimeout(() => {
           reject(new Error(`Execution timed out after ${String(timeoutMs / MS_PER_SECOND)}s`));

package/src/types.ts CHANGED Viewed

@@ -37,7 +37,7 @@ interface PluginConfig {
   readonly baseUrl?: string;
   readonly pollingEnabled?: boolean;
   readonly pollingInterval?: number;
-  readonly tempoPrivateKey?: string;
+  readonly tempoSigningKey?: string;
 }
 interface EventPollerOptions {

package/src/tools/sandbox.ts DELETED Viewed

@@ -1,58 +0,0 @@
-import { API_SPEC } from '../api-spec.js';
-import { truncateResponse } from '../truncate.js';
-import type { ToolResult } from '../types.js';
-const specEndpoints: ReadonlyArray<Readonly<Record<string, unknown>>> = API_SPEC.map(
-  (endpoint): Readonly<Record<string, unknown>> => ({ ...endpoint }),
-);
-function extractErrorMessage(error: unknown): string {
-  if (error instanceof Error) {
-    return `${error.constructor.name}: ${error.message}`;
-  }
-  return String(error);
-}
-function isAsyncFunctionConstructor(
-  value: unknown,
-): value is new (...parameters: readonly string[]) => (...parameters: readonly unknown[]) => Promise<unknown> {
-  return typeof value === 'function';
-}
-function getConstructorFromPrototype(proto: unknown): unknown {
-  if (typeof proto !== 'object' || proto === null) {
-    return undefined;
-  }
-  return 'constructor' in proto ? proto.constructor : undefined;
-}
-function resolveAsyncFunctionConstructor(prototype?: unknown): new (
-  ...parameters: readonly string[]
-) => (...parameters: readonly unknown[]) => Promise<unknown> {
-  const asyncPrototype: unknown = prototype ?? Object.getPrototypeOf(async (): Promise<void> => {});
-  const candidate: unknown = getConstructorFromPrototype(asyncPrototype);
-  if (!isAsyncFunctionConstructor(candidate)) {
-    throw new Error('AsyncFunction constructor not found');
-  }
-  return candidate;
-}
-const AsyncFunction = resolveAsyncFunctionConstructor();
-function successResult(content: unknown): ToolResult {
-  return { content: [{ text: truncateResponse(content), type: 'text' as const }] };
-}
-function errorResult(error: unknown): ToolResult {
-  return { content: [{ text: extractErrorMessage(error), type: 'text' as const }], isError: true };
-}
-export {
-  AsyncFunction,
-  errorResult,
-  extractErrorMessage,
-  getConstructorFromPrototype,
-  resolveAsyncFunctionConstructor,
-  specEndpoints,
-  successResult,
-};