ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Extract

v1.0.0

Extract tweet content from x.com URLs without credentials using browser automation. Use when user asks to "extract tweet", "download x.com link", "get tweet...

0· 694·0 current·0 all-time
byChunhua Liao@chunhualiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (extract tweets via browser automation) matches the provided SKILL.md, selectors reference, and the included script. No unrelated credentials, binaries, or config paths are requested. The skill's features (text, author, timestamp, media, engagement, optional media download) are all supported by the instructions and selector references.
Instruction Scope
Instructions stay within the stated purpose: they direct the agent to open the tweet URL with the platform browser tool, capture ARIA snapshots, extract fields, and optionally download media. One caution: the SKILL.md suggests using shell commands (curl/wget via exec) to download media URLs — that will cause the agent to fetch and write arbitrary remote URLs to disk if the user requests downloads. This is expected for media-download functionality but is a side-effect users should be aware of (disk writes, potentially untrusted URLs, and copyright considerations). Also, SKILL.md and references include both x.com and twitter.com, whereas the shipped scripts/extract.mjs enforces a simple check for 'x.com' only — a minor inconsistency in domain handling.
Install Mechanism
No install spec is included (instruction-only plus a small helper script). Nothing is downloaded from external URLs during installation and no archives are extracted. This is the lowest-risk install profile.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The code and SKILL.md do not access environment secrets. This is proportionate to a public-web scraping/browser-automation tool.
Persistence & Privilege
always is false (default). The skill does not request permanent/system-wide configuration changes and contains no steps to alter other skills. Autonomous invocation is allowed (platform default) and acceptable given the skill's purpose.
Assessment
This skill is internally consistent for scraping public x.com/twitter.com tweet pages via the platform browser tool and does not request credentials. Before installing, consider: 1) Media download option uses shell tools (curl/wget) to fetch and write remote URLs — only download media you trust and be mindful of disk storage and copyright. 2) Excessive automated requests may trigger X.com rate-limiting or IP blocking. 3) The included helper script is primarily an instructions writer (it prints snapshot instructions) and has a minor mismatch: SKILL.md supports both x.com and twitter.com but the script currently checks only for 'x.com'. If you require twitter.com domain support, review/adjust the code. 4) Ensure your OpenClaw agent’s browser tool access is intentional, since the skill relies on that tool to load pages. If you need higher assurance, review the script and selectors file line-by-line before enabling downloads or granting the agent broad autonomous access.

Like a lobster shell, security has layers — review code before you run it.

latestvk972v20tnhf20g8ssybvjqswzs818nwd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments