Back to skill
Skillv1.0.0
ClawScan security
X-Twitter news search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 1:48 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions align with its stated purpose of fetching and filtering tweets via the X/Twitter API and do not request unrelated credentials or perform unexpected I/O.
- Guidance
- This skill appears coherent: it simply calls the X/Twitter API and returns filtered tweet JSON. Before installing, be aware you must provide a valid TWITTER_BEARER_TOKEN (keep it secret), expect pay-per-use charges and rate limits noted in the docs, and confirm the API hostname (api.x.com) matches the official API for your account. The doc suggests storing the token with a local tool ('hermes') — you don't have to use that; store the token safely. If you plan to let agents call this skill autonomously, remember it will be able to make live API requests using your bearer token, so grant access only if you trust the agent's behavior and budget constraints.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (curl, jq), and the single required env var (TWITTER_BEARER_TOKEN) match the declared purpose of calling the Twitter/X REST API and parsing JSON. Nothing requested appears unrelated to fetching tweets.
- Instruction Scope
- okSKILL.md only describes building queries, calling the API endpoint, and jq-based local filtering/formatting. It does not instruct reading unrelated files, scanning system state, or sending data to third-party endpoints. One minor note: the doc suggests saving the token with a 'hermes config set' command (a tool not listed as required) — this is a user convenience, not required for the skill to run.
- Install Mechanism
- okThis is instruction-only with no install spec or downloaded code. That minimizes filesystem and supply-chain risk.
- Credentials
- okOnly TWITTER_BEARER_TOKEN is required (declared as primaryEnv). No unrelated secrets or many environment variables are requested. The token is proportionate for API access.
- Persistence & Privilege
- okalways:false and no special persistent privileges are requested. The skill does not modify other skills or system-wide config. Autonomous invocation is allowed by platform default but is not elevated here.