ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X / Twitter Search

v1.0.1

Search X/Twitter in real-time using Grok or X API. Find tweets, trends, and discussions with citations.

13· 1.4k·3 current·4 all-time
by@blueberrywoodsym
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (X/Twitter search) align with what is present: a Node script that calls either xAI's Responses API (x_search tool) or X's search API. Declared requirement (node) and primaryEnv (XAI_API_KEY) match the default Grok mode. Optional X_BEARER_TOKEN is documented and used only for the native X API path.
Instruction Scope
SKILL.md instructs running scripts/search.js and documents environment variables and modes; the script only makes HTTPS requests to api.x.ai and api.x.com and formats results. A pre-scan flagged 'system-prompt-override' because the script builds a systemPrompt sent to xAI in the request payload — this is expected for the Grok mode (it configures the remote model) and does not override the local agent's system prompt. Review of the script confirms it does not read local files, access other env vars, or call unexpected endpoints.
Install Mechanism
No install spec provided (instruction-only + included script). The skill requires node on PATH and contains a local script. There are no downloads from untrusted URLs or archive extraction steps in the repo.
Credentials
Only XAI_API_KEY is required (primary). The code also accepts optional X_BEARER_TOKEN/TWITTER_BEARER_TOKEN for the X API path; all requested env vars are directly used for calls to the documented endpoints. There are no unrelated or excessive credentials requested.
Persistence & Privilege
Skill is not always-enabled and sets disable-model-invocation: true (cannot be invoked autonomously), which reduces risk. The skill does not claim or appear to modify other skills or system-wide settings.
Scan Findings in Context
[system-prompt-override] expected: The script deliberately builds a 'systemPrompt' and includes it in the payload to xAI's Responses API; the scanner flags this pattern generically, but in this context it configures the remote model's behavior for search output and does not affect the host agent's system prompt or exfiltrate data.
Assessment
This skill appears to do what it says, but take these precautions before installing: (1) Inspect scripts/search.js (already included) and confirm you are comfortable sending XAI_API_KEY to api.x.ai and any X_BEARER_TOKEN to api.x.com. (2) Provide only the credential(s) you intend to use (e.g., give XAI_API_KEY only if using Grok mode); consider using an API key with limited scope and easy rotation. (3) Because the skill runs a local Node script, run it in an environment you control (not with highly privileged credentials). (4) Note the scanner flagged 'system-prompt-override' — this is expected because the skill sends a systemPrompt to the remote model; if you are concerned, review the payload formatting in the script. (5) If you have strict security needs, run the script in an isolated container or sandbox before adding to production.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ev51sdm84jcxys1sf2y4qd81htbq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsnode
EnvXAI_API_KEY
Primary envXAI_API_KEY

Comments