Skillv0.1.0

ClawScan security

X Reader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 6, 2026, 11:30 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with its stated purpose (reading X/Twitter posts via Nitter or RapidAPI); it only makes network requests to the listed services and optionally uses a RapidAPI key.
Guidance: This skill appears to do exactly what it says: fetch tweets either by scraping public Nitter instances or by calling RapidAPI when you provide RAPIDAPI_KEY. Consider the following before installing: (1) If you provide a RapidAPI key it will be sent to twitter-api45.p.rapidapi.com — only use a key you trust and avoid sharing high-privilege credentials. (2) Nitter instances are third-party services; requests and scraped content go to those hosts (privacy/availability varies by instance). (3) The registry metadata doesn't mark RAPIDAPI_KEY as optional; if you want that reflected, ask the publisher to update the registry. (4) Run this untrusted script in a sandbox if you want to be extra cautious. Overall the skill is coherent with its purpose.

Purpose & Capability: okName/description match the behavior: code implements Nitter-based scraping and an optional RapidAPI call for tweet details. No unrelated credentials, binaries, or system paths are requested.
Instruction Scope: noteSKILL.md and the script limit actions to fetching tweets via Nitter instances or RapidAPI. Note: the script issues HTTP requests to third-party Nitter instances and to twitter-api45.p.rapidapi.com; this is expected but means requests (and tweet content) go to those external hosts.
Install Mechanism: okInstruction-only install: SKILL.md recommends 'pip install requests' only. There is no download-from-URL, archive extraction, or other install that would write arbitrary code to disk beyond the provided script.
Credentials: noteRegistry metadata lists no required env vars, while SKILL.md and the script accept an optional RAPIDAPI_KEY. This is reasonable and limited, but the registry could explicitly mark RAPIDAPI_KEY as optional. Supplying the key will send it to RapidAPI when used.
Persistence & Privilege: okSkill does not request permanent/always-on presence and does not modify other skills or system-wide settings. It runs as a simple CLI script.