X/Twitter Research
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears aligned with X/Twitter research, but it uses a twitterapi.io API key, makes paid external API calls, and saves fetched tweet content into local report files.
Before installing, confirm you want the agent to use a twitterapi.io API key, understand the possible usage costs, and decide whether reports should be generated manually or on a schedule. Review generated markdown reports as untrusted research output rather than authoritative instructions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your twitterapi.io account/key and may consume API quota or incur provider charges.
The skill uses a local twitterapi.io API credential for its documented requests. This is expected for the service, but it gives the skill paid API authority through the user's key.
API key stored at: `~/.openclaw/secrets/twitterapi.env` ... All requests need header: `X-API-Key: $TWITTERAPI_KEY`
Use a dedicated or least-privilege twitterapi.io key if available, keep it in the documented secrets file, and rotate or revoke it if you stop using the skill.
If you or an agent schedules it repeatedly, it can consume API quota and create recurring small charges.
The skill explicitly encourages repeated external API calls and discloses approximate costs. This is purpose-aligned, but users should be aware of frequency and budget.
Run this workflow every 4-6 hours to generate a trend report. ... Rate Limits & Costs ... Minimum $0.00015 per API call
Run or schedule reports only when needed, and set provider-side budget or quota limits if available.
Installation may appear simpler than actual use; the script may fail unless bash, curl, jq, and the documented secret file are present.
The registry metadata does not declare runtime dependencies or credentials, while the supplied artifacts include a shell helper that requires common command-line tooling and an API key file.
No install spec — this is an instruction-only skill. ... Required binaries (all must exist): none ... Code file presence: 1 code file(s): generate-report.sh
Verify the local tools and secrets file before use, and treat the shell helper as part of the skill even though there is no install spec.
Saved reports may contain third-party text, links, or claims that should not be treated as instructions or trusted facts without review.
The helper stores retrieved public tweet text and links into local markdown reports. Those tweets are untrusted external content that may later be read back into an agent context.
REPORT_FILE="$OUTPUT_DIR/solana-trends-$TIMESTAMP.md" ... echo "$SOLANA_TOP" | jq -r '.tweets[:10][] | "- **@\(.author.userName)** ... \(.text ... )... [→](\(.twitterUrl))"' >> "$REPORT_FILE"
Treat generated reports as untrusted research material, verify important claims, and do not let tweet text override user instructions or trigger actions.