OEE Social Research
v1.0.0Conduct tiered social media research on Twitter and web sources, compiling insights into structured briefings without requiring API keys for basic access.
⭐ 0· 693·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code: the package implements tiered Twitter/X retrieval (FxTwitter), web search fallbacks, and browser scraping as described. It does not request unrelated cloud credentials or system-level access. Minor mismatch: the code imports ravens.fxtwitter via package-style import; this is likely coherent given the included __init__.py, but could break depending on install layout.
Instruction Scope
SKILL.md instructs agents to run the included script and does not ask for unrelated system files, but the pre-scan flagged 'unicode-control-chars' in SKILL.md (hidden/control characters) which can be used for prompt-injection or to hide instructions. The code writes logs (.logs/usage-*.jsonl) and cached queries (.cache/*.json) in the skill directory and will store full query text — a privacy risk. The instructions and code also perform remote network requests to many public/third-party endpoints (FxTwitter, SearXNG instances, DuckDuckGo HTML, various nitter instances).
Install Mechanism
There is no install spec (instruction-only with bundled code), so nothing is downloaded/installed during install. This lowers install-time risk. However, the runtime performs many outbound HTTP(S) requests to third-party instances (some are public/community endpoints), which is an operational risk rather than an installer risk.
Credentials
The skill declares no required env vars but the code optionally reads BRAVE_API_KEY for Brave Search; that is reasonable for an optional enhancement. No other secrets/credentials are requested. Concerning: query text and usage metadata are logged to disk in .logs and cached in .cache (may include sensitive search terms), and the skill may try to enrich search hits by calling external services, so sensitive inputs could be transmitted to remote hosts.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It persists data locally under the skill directory (.cache, .logs, .briefings), which is expected for caching/briefings but can hold sensitive data. Autonomous invocation is permitted (platform default); combined with logging and external network access this expands blast radius but is not a standalone error.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md contains unicode control characters or hidden characters. This is not necessary for a research-skill README and can be used to hide or manipulate prompts/instructions; treat as suspicious. The rest of the code does not rely on hidden characters.
What to consider before installing
What to consider before installing:
- Prompt-injection: The SKILL.md contains hidden Unicode/control characters (scanner flagged this). These can be used to hide instructions or influence agent behavior — inspect the raw SKILL.md (bytes) and remove unexpected control characters before trusting the skill.
- Privacy: The skill logs queries and usage to .logs and caches results in .cache and writes briefings to .briefings in the skill directory. If you will search sensitive topics, run this in a disposable or isolated environment and clear those directories afterwards.
- Network endpoints: At runtime the code contacts api.fxtwitter.com, multiple public SearXNG instances, DuckDuckGo HTML, optional Brave search (if BRAVE_API_KEY set), and several public nitter instances. Public community instances can be unreliable or privacy-poor — consider restricting network access or replacing endpoints with your own trusted services.
- Optional env var: BRAVE_API_KEY is supported but optional. Do not populate environment variables with unrelated secrets.
- Missing chunk: Part of social_research.py was truncated in the supplied bundle. Before installing or granting autonomous execution, review the full source (especially the Tier 3/browser automation section) to ensure it doesn't launch arbitrary binaries, execute remote scripts, or post results to unexpected endpoints.
- Safe deployment suggestions: run in a sandbox/container, restrict outbound network egress to known trusted hosts, disable autonomous invocation if you want to manually review outputs, and inspect/clean the .logs/.cache/.briefings directories after use.
If you want, I can: (1) show the raw bytes of SKILL.md so you can see/control characters, (2) search the full source for subprocess.exec/requests that post data externally, or (3) suggest simple code edits to remove logging of raw queries or limit external hosts.Like a lobster shell, security has layers — review code before you run it.
latest
🐾 Social Research (Ravens) — What Are People Saying?
by Odin's Eye Enterprises — Ancient Wisdom. Modern Intelligence.
Tiered X/Twitter research tool. Sends out the ravens, brings back intelligence.
What It Does
- Tier 1 — FxTwitter API (free, fast, public tweets)
- Tier 2 — Web search fallback (broader reach)
- Tier 3 — Browser scraping (last resort, full fidelity)
- Briefings — Compiled research reports
Trigger Phrases
- "what are people saying about"
- "social research on"
- "twitter research"
- "send the ravens"
- "what's the buzz on"
Usage
# Research a topic
python social_research.py "OpenAI GPT-5 reactions"
# Research with specific tier
python social_research.py "AI agents" --tier 1
# Get cached briefing
python social_research.py --briefing "topic"
Files
social_research.py— main research enginefxtwitter.py— FxTwitter API client.cache/— cached results (auto-managed).briefings/— compiled reports
Requirements
- Python 3.10+
- No API keys for Tier 1 (FxTwitter is free)
- Web search available via agent tools for Tier 2
For Agents
Run from the skill directory:
python social_research.py "TOPIC"
Output is a structured briefing on stdout.
<!-- 🐾 Huginn and Muninn fly at dawn -->Comments
Loading comments...