ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Twitter Api Alternative

v1.2.1

Twitter API Alternative — Search 1B+ tweets with natural language queries, boolean filters, and one-click CSV exports (up to 64K rows). Look up profiles, find users by topic, and track conversations. No developer account needed, no complex OAuth setup — 2-minute setup via Xpoz MCP.

6· 1.4k·5 current·5 all-time
by@atyachin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Twitter API alternative, cross‑platform search and CSV export) match what the SKILL.md instructs: use the mcporter binary to invoke xpoz.* MCP actions and authenticate via an xpoz-setup skill. Required binary (mcporter) and the separate setup skill are plausible and proportionate to the stated purpose; no unrelated credentials or config paths are requested.
Instruction Scope
SKILL.md only instructs the agent to run the xpoz-setup skill and to invoke mcporter calls such as xpoz.getTwitterPostsByKeywords and to poll operation status. The instructions reference network interaction with the Xpoz MCP service (mcp.xpoz.ai) and CSV exports, which is consistent with the service functionality. The instructions do not ask the agent to read arbitrary local files or unrelated environment variables.
Install Mechanism
The install spec installs an npm package named mcporter (creates a mcporter binary). Using an npm package is a reasonable way to provide the required binary, but npm packages execute arbitrary code during install and at runtime and are a moderate supply‑chain risk. The spec does not use unknown download URLs or extract archives, which is good; still, verify the mcporter package source and maintainers before installing.
Credentials
No environment variables or secrets are requested by the skill itself. Authentication is delegated to the xpoz-setup skill (OAuth 2.1) and an Xpoz account, which is consistent with the service. There are no unrelated credential requests in the SKILL.md.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It is user‑invocable and allows normal autonomous invocation (platform default). It does not declare or attempt to modify other skills' configurations.
Assessment
This skill appears internally consistent with its description — it uses a helper tool (mcporter) to call the Xpoz MCP service and delegates auth to an xpoz-setup OAuth flow. Before installing: 1) Verify the mcporter npm package (publisher, downloads, repo) because npm installs run code on your machine. 2) Review Xpoz's privacy/terms — CSV exports can contain large amounts of user data and network traffic goes to mcp.xpoz.ai. 3) Inspect the xpoz-setup skill (what it stores and what scopes it requests) before granting OAuth access; prefer a dedicated account with minimal privileges. 4) If you have policy constraints, test in an isolated environment (VM/container) first. If you want, provide the mcporter package link and xpoz-setup skill manifest and I can check them for further red flags.

Like a lobster shell, security has layers — review code before you run it.

latestvk97epbfh9bj2r5tvd0wf0fm9n181072w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsmcporter

Install

Install mcporter (npm)
Bins: mcporter
npm i -g mcporter

Comments