X Research
PassAudited by ClawScan on May 10, 2026.
Overview
This looks like a coherent read-only X/Twitter research tool, with notable but disclosed use of a paid X API token, local caching, and optional heartbeat monitoring.
Before installing, make sure you are comfortable providing an X API bearer token and paying for API reads. Set spending limits in the X Developer Console, use quick mode for casual checks, clear local cache/drafts when needed, and only enable heartbeat watchlist monitoring if you want periodic API calls.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Deep research or broad searches may spend prepaid X API credits.
The agentic research loop intentionally makes multiple X API calls. This matches the stated purpose, but it can consume paid API credits.
Turn the research question into 3-5 keyword queries... Run each query via CLI.
Use quick mode or low page counts for exploratory work, and set X Developer Console spending limits.
The skill can use the configured X API token and may spend credits tied to that developer account or app.
The skill uses an X bearer token for API authentication. The shown code sends it only to api.x.com for the documented X research functions.
if (process.env.X_BEARER_TOKEN) return process.env.X_BEARER_TOKEN; ... headers: { Authorization: `Bearer ${token}` }Use a token intended for this purpose, apply least-privilege settings where possible, and rotate the token if it is exposed elsewhere.
A user relying only on metadata may be surprised that setup requires a runtime and a paid API credential.
The registry metadata under-declares requirements that the README/SKILL/code disclose, including Bun and X_BEARER_TOKEN.
Required binaries: none ... Required env vars: none ... Primary credential: none ... No install spec — this is an instruction-only skill.
Review the README and code before use; the publisher should declare Bun and X_BEARER_TOKEN in metadata.
Local cache files can reveal research topics and may preserve stale or untrusted social-media content.
Search queries and retrieved tweets are persisted locally in cache files for reuse within the TTL.
const CACHE_DIR = join(import.meta.dir, "..", "data", "cache"); ... query, params, timestamp, tweets ... writeFileSync(path, JSON.stringify(entry, null, 2));
Clear the cache if research topics are sensitive, and treat cached X content as untrusted source material.
If heartbeat monitoring is enabled, the skill may periodically call the X API and spend credits.
The skill documents optional recurring heartbeat use. The provided artifacts do not install a background daemon, but platform heartbeat use could trigger monitoring without a direct prompt each time.
On heartbeat, can run `watchlist check` to see if key accounts posted anything notable.
Enable heartbeat checks only intentionally, keep the watchlist bounded, and monitor API usage.