TwitterApi Research
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate read-only X/Twitter research tool, but it uses a twitterapi.io API key, sends searches to that provider, and stores some local search/watchlist data.
Install only if you are comfortable using twitterapi.io for X/Twitter research. Configure a dedicated TWITTERAPI_IO_KEY, monitor API-credit usage and agent logs, clear local caches/watchlists/drafts for sensitive research, and treat tweets plus linked pages as untrusted sources rather than instructions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your twitterapi.io key is used to authenticate API calls, and searches may spend API credits.
The skill requires a third-party API key and can consume that account's prepaid credits. This is disclosed and purpose-aligned, but the registry metadata does not declare a primary credential or required env var.
x-search reads your key from the `TWITTERAPI_IO_KEY` env var or `~/.config/env/global.env`.
Use a dedicated twitterapi.io key with limited prepaid exposure, set it as an environment variable rather than inline in commands, review agent/tool logs, and rotate the key if exposed.
The installer may not warn you about required setup or help verify the upstream source.
The registry metadata lacks source/homepage and setup declarations even though the README/SKILL.md describe a GitHub install path, Bun usage, and a TWITTERAPI_IO_KEY requirement.
Source: unknown; Homepage: none; Required env vars: none; No install spec — this is an instruction-only skill.
Verify the repository/source you install from, confirm the code matches the reviewed artifacts, and manually configure Bun plus TWITTERAPI_IO_KEY before use.
A malicious or low-quality tweet/link could influence the agent's synthesis if treated as authoritative.
The skill asks the agent to fetch links discovered in tweets. That is normal for research, but tweet-linked pages are untrusted inputs and could contain misleading content or prompt-injection text.
When tweets link to GitHub repos, blog posts, or docs, fetch with `web_fetch`.
Treat tweets and fetched pages as untrusted sources, avoid fetching suspicious/private/internal URLs, and verify important claims against primary sources.
Your local disk may retain research topics, monitored accounts, and retrieved tweet content.
Search queries, parameters, and returned tweets are written to local cache files; SKILL.md also documents a persistent watchlist and optional saved research drafts.
const entry: CacheEntry = { query, params, timestamp: Date.now(), tweets }; ... writeFileSync(path, JSON.stringify(entry, null, 2));Use the cache clear command and remove watchlist/draft files when researching sensitive topics, especially on shared or backed-up machines.