ClawHub
Back to skill
v1.0.0

X Interact

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:52 AM.

Analysis

This skill is a coherent Tavily/MCP search helper for X.com content, with the main things to notice being its use of a Tavily API key and a remote MCP provider.

GuidanceThis looks safe for its stated purpose if you intend to use Tavily for X.com search. Before installing, make sure you trust Tavily and mcporter, use a dedicated Tavily API key, and avoid sending sensitive private queries or URLs through the service.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
SKILL.md
Prerequisites ... mcporter — OpenClaw skill for MCP tool calling

The skill depends on a separate mcporter capability, but the registry requirements list no required binaries or install specification for that dependency.

User impactThe reviewed artifact set does not include the mcporter implementation, so the behavior of that separate tool is outside this skill’s files.
RecommendationInstall mcporter only from a trusted source and review its permissions before using this skill.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Requires Tavily API key ... mcporter config add tavily https://mcp.tavily.com/mcp/?tavilyApiKey=<YOUR_KEY>

The skill needs a Tavily API key and places it in the MCP server configuration URL, while the registry metadata lists no primary credential or required environment variables.

User impactYou will be granting the skill access to use your Tavily API quota, and the key may be stored in your local mcporter configuration.
RecommendationUse a dedicated Tavily key with limited scope if possible, keep it out of shared logs or screenshots, and revoke or rotate it if exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Tavily is configured as an MCP server and provides the interface for X.com content through search indexing.

The skill routes search and extraction requests through an external MCP provider, so queries and URLs are shared with Tavily as part of the intended workflow.

User impactSearch terms, account names, topics, and URLs you ask it to extract may be sent to Tavily.
RecommendationAvoid sending private, confidential, or sensitive investigation targets unless you are comfortable sharing them with Tavily under its terms.