X Analytics CLI
Security checks across malware telemetry and agentic risk
Overview
The skill is coherently aimed at read-only X/Twitter analytics, but users should review its OAuth credential use and the unpinned global npm CLI install before use.
Before using this skill, verify the `x-analytics-cli` npm package is trustworthy and use narrowly scoped X API credentials. The visible behavior is read-only and aligned with X/Twitter analytics, but credentials and global package installation deserve review.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the agent can use your X API credentials to retrieve data available to that account and API tier.
The skill requires X account/API credentials and can use them to make authenticated X API requests. This is expected for the stated integration, but those tokens are sensitive and should be scoped and protected.
The CLI requires four OAuth 1.0a credentials: API Key, API Secret, Access Token, and Access Token Secret.
Use least-privileged/read-only X API credentials where possible, store them securely, avoid sharing them in chat, and revoke or rotate tokens if no longer needed.
Installing an unpinned global npm package may run third-party code on the local machine and will later handle X API credentials.
The skill depends on an external global npm package, but the provided artifacts include no reviewed code, install spec, version pin, homepage, or source repository. This is purpose-aligned for a CLI wrapper, but users should verify the package provenance.
If the CLI is not installed, install it: npm install -g x-analytics-cli
Verify the npm package owner/source and pin a trusted version before installation, especially before providing OAuth credentials.