Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Twitterapi Io
v3.8.1Interact with Twitter/X via TwitterAPI.io — search tweets, get user info, post tweets, like, retweet, follow, send DMs, and more. Covers all 67 active endpoi...
⭐ 1· 996·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (read/write Twitter via twitterapi.io) legitimately requires an API key and, for write actions, user login/session data and proxy credentials. However the registry metadata declares no required environment variables or primary credential even though SKILL.md repeatedly references $TWITTERAPI_IO_KEY and login/session tokens—this mismatch is incoherent and should be corrected or explained by the publisher.
Instruction Scope
SKILL.md contains many explicit runtime instructions (curl examples) that ask callers to supply usernames, passwords, a 16-character TOTP secret, login_cookies/auth_session, and proxy credentials. It also documents an endpoint that takes login_cookies as a GET query parameter (exposing the cookie in URLs/logs). These instructions go beyond simple read-only usage and place sensitive secrets directly into requests and potentially logs; the guidance around handling these secrets is incomplete and risky.
Install Mechanism
This is an instruction-only skill with no install spec or included binaries/code, so there is no installer behavior or third-party downloads to review. That lowers the risk of hidden executable payloads.
Credentials
The skill will require an API key ($TWITTERAPI_IO_KEY) and, for write actions, account credentials/2FA secrets and proxy credentials. These are high-sensitivity secrets; the registry declares none of them as required environment variables or a primary credential, which is disproportionate to the metadata and is likely to mislead users about what they must provide. Additionally, passing session cookies in query strings (documented) is a known vector for credential leakage.
Persistence & Privilege
The skill does not request permanent inclusion (always: false), does not modify other skills, and has no install-time persistence. Normal autonomous invocation is enabled (platform default) but is not combined here with other privilege escalations.
What to consider before installing
This skill is an instructions-only wrapper for TwitterAPI.io and will ask you for sensitive data (the twitterapi.io API key, your account username/password, a 2FA/TOTP secret, session cookies and proxy credentials) when performing write actions. Before installing or using it: (1) demand the publisher declare the TWITTERAPI_IO_KEY as a required credential in metadata; (2) avoid pasting account passwords or 2FA secrets into third‑party tools unless you fully trust the publisher and their hosting; (3) be aware the skill documents an endpoint that sends session cookies in the URL (this can leak to logs and browser history) — avoid using that endpoint or supply cookies only in request bodies/headers over HTTPS; (4) prefer read-only usage (search/user info) if you don't want to expose login credentials or proxy auth; and (5) verify the skill's source/homepage and look for community/reviewer trust before supplying any credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk972wbve3frkw35ggnnqjeyj2h84vr17
License
MIT-0
Free to use, modify, and redistribute. No attribution required.