Twitter Api Alternative
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: twitter-api-alternative Version: 1.2.1 The skill instructs the agent to install an external Node.js package, `mcporter`, via `npm install`. While this is a standard installation method and plausibly needed for the skill's stated purpose (interacting with the Xpoz service), `npm install` is a known vector for supply chain attacks, as packages can execute arbitrary code during installation (pre/post-install scripts). This represents a significant risky capability, even without clear evidence of intentional malicious behavior within the provided `SKILL.md` file itself. All network communication is declared to `mcp.xpoz.ai` and appears to be for the stated purpose of social media data search and export.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may add the mcporter CLI to the user's environment.
The skill depends on installing an external npm package. This is expected for the MCP workflow, but users still need to trust the package source.
"install": [{"id": "node", "kind": "node", "package": "mcporter", "bins": ["mcporter"], "label": "Install mcporter (npm)"}]Install from the expected npm source and keep the package updated; review package provenance if using it in a sensitive environment.
The agent can use the connected Xpoz account to make supported social-search requests.
The skill requires an Xpoz account and OAuth-based setup, even though no Twitter developer account is needed. This is disclosed and purpose-aligned, but it is still delegated account access.
"credentials": "Xpoz account (free tier) — auth via xpoz-setup skill (OAuth 2.1)"
Use the intended Xpoz account, review the permissions during setup, and disconnect access if you no longer need the integration.
Search terms, profile lookups, and generated CSV export workflows may be visible to or handled by the Xpoz service.
The skill sends requests through the Xpoz MCP service. This external provider connection is central to the stated purpose, but user queries and returned export links pass through that service.
"network": ["mcp.xpoz.ai"]
Avoid sending sensitive research queries unless you trust Xpoz's handling of query and export data; review the provider's privacy and retention terms.