Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TwitterShots
v1.0.1Generate high-quality screenshots of Twitter/X posts using the TwitterShots API. Use when the user wants to: capture a tweet as an image, screenshot a tweet,...
⭐ 0· 43·0 current·0 all-time
by@0xinhua
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description, SKILL.md, README, and the included Python script all consistently implement a single purpose: call https://api.twittershots.com/api/v1/screenshot/:statusId using an API key and return an image or URL. This capability is coherent with the stated purpose. However, the registry metadata at the top of the package (in the evaluation manifest) lists no required env vars or dependencies while the SKILL.md frontmatter and README declare a required TWITTERSHOTS_API_KEY and 'requests' dependency — a metadata mismatch worth noting.
Instruction Scope
SKILL.md and the Python script limit runtime actions to extracting tweet IDs, building query parameters, and making GET requests to api.twittershots.com. They do not instruct the agent to read unrelated files, other environment variables, or contact other external endpoints. The skill does not request broad discretionary access or vague 'gather context' operations.
Install Mechanism
There is no install spec (instruction-only) and the included script is runnable directly. The SKILL.md declares a Python dependency (requests) but the package has no automated install step; the top-level registry metadata omitted this dependency. This is likely sloppy metadata rather than a high-risk install mechanism, but you should ensure the runtime environment has the requests package or install it from a trusted source.
Credentials
The only credential logically required is an API key for TwitterShots (TWITTERSHOTS_API_KEY), which the SKILL.md, README, and script all reference and use appropriately. However, the registry metadata included with the skill incorrectly lists no required env vars/primary credential. That inconsistency could lead to confusion or misconfiguration; ensure the skill will be given ONLY a TwitterShots API key (not reused sensitive credentials like platform admin keys or AWS secrets).
Persistence & Privilege
The skill does not request always:true, does not modify other skills or global config, and has no install hooks. It is user-invocable and may be invoked autonomously by agents (platform default), which is expected for this type of skill.
What to consider before installing
This skill appears to do exactly what it claims: call the TwitterShots API to render tweet screenshots and return an image or URL. Before installing: (1) Confirm the skill will only be given a TwitterShots API key (TWITTERSHOTS_API_KEY) and avoid reusing highly privileged or unrelated keys; (2) note the package metadata is inconsistent — SKILL.md/README require the requests library and an API key even though the top-level registry metadata omitted them, so be sure to install requests from a trusted source (pip) if you run the script locally; (3) review the API host (https://api.twittershots.com) and the service's privacy/TOS if you will send tweet content you consider sensitive; and (4) because the skill can be invoked autonomously by agents, only enable it in agents you trust or restrict it to manual invocation if you prefer. If the metadata mismatch concerns you, ask the publisher to correct the registry fields or inspect the code yourself before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97b7stwp7xbn9qqv1kgqzjbr583sg5n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.