Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
X Interact
v1.0.0Interact with X.com (Twitter) via Tavily web search and extraction. Search tweets, extract content from linked URLs, monitor accounts and topics. Requires Ta...
⭐ 0· 84·0 current·0 all-time
by@0x-wzw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (searching X/Twitter via Tavily) matches the actions described in SKILL.md (mcporter calls to tavily_search/tavily_extract). However, the registry metadata does not declare the Tavily API key or the mcporter dependency that are required by the instructions, creating an incoherence between description and declared requirements.
Instruction Scope
SKILL.md's runtime instructions are narrowly scoped: they instruct the agent to configure mcporter with a Tavily MCP URL and to call specific mcporter endpoints (tavily_search, tavily_extract, tavily_research). The instructions do not ask for unrelated files, system paths, or additional credentials beyond the Tavily key and do not describe arbitrary data exfiltration.
Install Mechanism
There is no install script or external download; this is an instruction-only skill with a small validate.sh and README. No high-risk install mechanism (external binary download/extract) is present.
Credentials
SKILL.md explicitly requires a Tavily API key and the mcporter tool, but the skill registry metadata lists no required environment variables or primary credential. This mismatch is a concern because the skill will not function without that key, and the instructions show adding the key into an mcporter URL (which can expose the key if stored in configs or logs).
Persistence & Privilege
The skill does not request always:true and does not appear to modify other skills or system-wide configuration. The only persistent action implied is adding a Tavily MCP server to mcporter, which will store that endpoint/config in the mcporter config (expected for this functionality).
What to consider before installing
This skill appears to do what it says (use Tavily via mcporter to search X/Twitter), but there are important inconsistencies you should consider before installing:
- Metadata mismatch: The SKILL.md requires a Tavily API key and the mcporter skill, but the registry metadata does not declare any required env vars or credentials. Treat the Tavily API key as required even though it isn't listed.
- API key exposure: The instructions show adding the key into an mcporter URL (https://mcp.tavily.com/mcp/?tavilyApiKey=<YOUR_KEY>). That can cause the key to be stored in config files, appear in process listings, or be logged. Prefer storing keys in a secure credential store or environment variable if possible and check where mcporter persists its config.
- Trust the third party: The skill relies entirely on Tavily (mcp.tavily.com). Validate Tavily's reputation, review its privacy and access policies, and ensure the API key's scope is appropriate (rotate/revoke if needed).
- Confirm mcporter behavior: Installing/configuring mcporter will persist the MCP endpoint; review mcporter's code/config storage to know where the key will be saved and who/what can read it.
- Repo/source verification: The README/skill.json point to a GitHub repo (0x-wzw). The published 'source' and 'homepage' in the registry are unknown — confirm the upstream repository and review its history before trusting the skill.
If you decide to proceed: obtain a limited-scope Tavily key, avoid pasting secrets into shared shells or logs, verify mcporter's config storage location, and inspect the referenced GitHub repository and any related skills (mcporter) first.Like a lobster shell, security has layers — review code before you run it.
latestvk971ftpn8qee6rza5fpeyb6he183a1s3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.