X/Twitter Prospecting
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears coherent and purpose-aligned: it uses a Brave Search API key to find public X posts and generate lead-scoring or outreach drafts, with minor setup and credential-use notes.
This looks safe to review as a lead-generation helper, but install it only if you are comfortable sharing search terms with Brave and using your Brave API quota. Treat generated replies, threads, and DM sequences as drafts that need human review before posting or sending.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can initiate Brave searches and produce suggested engagement or DM content, but the artifacts indicate drafts and recommendations rather than automatic social-media actions.
The skill exposes a Node command that can run searches and generate outreach-related outputs. This is central to the stated prospecting purpose, and the artifacts do not show automatic posting or account mutation.
Run with Node.js: `node {baseDir}/x-prospecting.js <command> [args]` ... `search` - Search X posts by keyword via BraveUse the search and generated outreach as reviewed drafts; do not let an agent post or message people without explicit approval through a separate tool.
The skill may use your Brave API quota and send your search queries to Brave's search API.
The skill requires a Brave Search API key. This is expected for the Brave search integration, and the artifacts do not show hardcoded credentials, X/Twitter credentials, or unrelated account access.
requires:\n env: [BRAVE_API_KEY] ... `BRAVE_API_KEY` - Brave Search API key
Provide only a Brave API key intended for this use, monitor quota usage, and rotate the key if you stop using the skill.
Installation or execution may be less transparent because the registry metadata under-describes the runtime requirement and source provenance.
The registry metadata does not provide a source and does not declare Node as a required binary, even though SKILL.md instructs running a Node.js script. This is a minor setup/provenance gap, not evidence of malicious behavior.
Source: unknown ... No install spec — this is an instruction-only skill ... Required binaries (all must exist): none
Verify the package/source you install from and ensure Node.js is available before running the skill.