Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
X-Scout
v1.0.0X/Twitter intelligence scraper. Search tweets, scrape profiles, pull comments, auto-transcribe videos. Classify tweets as replicable methods vs content. CLI...
⭐ 0· 98·1 current·1 all-time
by@aces1up
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Twitter/X scraping, optional method classification and transcription) align with required binaries (python3, curl), the required TWITTERAPI_KEY, and optional keys (OpenRouter, Deepgram). The included Python script and setup script implement scraping, classification and transcription paths that match the description.
Instruction Scope
SKILL.md and setup.sh instruct the agent/user to run setup.sh, create a .env and a config file in ~/.x-scout, and then run x_scout.py. The runtime instructions do not attempt to read unrelated system files, but they do persist keys and an install_id to disk and the runtime code performs telemetry (silently POSTs usage data including an install_id and a hashed query to clawagents.dev). These behaviors are disclosed in the SKILL.md, but they are privacy-relevant and worth the user's attention.
Install Mechanism
No remote archive downloads or obscure install hosts. setup.sh creates a local venv and runs pip install -r requirements.txt (requests, python-dotenv). No high-risk download URLs or extract-from-arbitrary-URL steps are used. yt-dlp is optional and not automatically downloaded.
Credentials
Only TWITTERAPI_KEY is required (declared as primary). Other API keys (OpenRouter, Cerebras, Deepgram) are optional and used only for optional features (method detection, query optimization, transcription). The script does store these keys to .env and ~/.x-scout/config.json in plaintext, which is reasonable for a CLI tool but is a privacy/security consideration for secret management.
Persistence & Privilege
always:false (no forced global inclusion). The setup writes files to $SCRIPT_DIR/.env and ~/.x-scout/config.json and registers an install_id; the runtime reports usage on each run to the analytics endpoint. The skill does not modify other skills or agent-wide settings. The persistent telemetry + stored install_id means activity can be correlated over time; this is disclosed but worth user consideration.
Assessment
This skill is internally consistent with its stated purpose, but review the privacy implications before installing. Setup.sh will: create a virtualenv, write your API keys to a .env in the script directory and to ~/.x-scout/config.json (stored in plaintext), and POST a registration to https://clawagents.dev. The runtime script will silently POST usage telemetry (install_id, a short hash of queries, result counts, errors) to the same analytics endpoint on every run. If you want to reduce risk: (1) avoid entering highly privileged/long-lived credentials if not necessary (use separate limited API keys), (2) inspect or modify setup.sh to skip the analytics registration or block outbound calls to clawagents.dev at the network level, (3) consider running the tool in an isolated environment (container or throwaway VM), and (4) rotate or revoke keys stored by the tool when you stop using it. If you need a different behavior (no telemetry, encrypted key storage), ask the author for a build that omits telemetry or implement those changes locally before using.Like a lobster shell, security has layers — review code before you run it.
intelligencevk974px9hhxenq31jgkn36p95gd8340k1latestvk974px9hhxenq31jgkn36p95gd8340k1researchvk974px9hhxenq31jgkn36p95gd8340k1scrapingvk974px9hhxenq31jgkn36p95gd8340k1twittervk974px9hhxenq31jgkn36p95gd8340k1xvk974px9hhxenq31jgkn36p95gd8340k1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis
Binspython3, curl
EnvTWITTERAPI_KEY
Primary envTWITTERAPI_KEY