X / Twitter Search
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your search terms are sent to xAI or X, and X API mode may incur provider usage charges.
The skill performs network API calls as its core function. This is purpose-aligned and disclosed, but users should understand that searches are sent to external providers.
Calls xAI's `/v1/responses` endpoint (Grok mode) or X's `/2/tweets/search/recent` endpoint (X API mode)
Use the skill only for queries you are comfortable sending to those providers, and verify command flags such as --x-api, --days, and --max before running.
The API key or bearer token can consume your provider quota or billing allowance if misused outside this skill.
The script uses bearer credentials to authenticate to the provider API. This is expected for the integration and the visible code sends them only to the disclosed API hosts.
headers: { 'Authorization': `Bearer ${apiKey}`, }Use least-privilege provider credentials where available, store them securely, and revoke or rotate them if you no longer use the skill.
It may be harder to confirm that the installed code matches a trusted upstream source.
The registry metadata does not identify a verified source repository, which limits provenance assurance even though the visible package is small and dependency-free.
Source: unknown
Review the installed scripts/search.js before first use and install only from a trusted ClawHub entry or repository.