Twitter Search
ReviewAudited by ClawScan on May 10, 2026.
Overview
The Twitter-search function is coherent, but the wrapper can automatically install an unpinned Python package and evaluates shell profile lines while handling the API key.
Use this only if you trust twitterapi.io and are comfortable reviewing the wrapper first. Safer use would be to preinstall requests in a virtual environment, remove the eval-based profile parsing, and provide a limited API key through a secure environment variable.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the wrapper may modify the user's Python environment and execute third-party package installation code without an explicit approval step.
The wrapper automatically installs an unpinned package from the Python package ecosystem at runtime, despite the skill being listed as having no install spec.
if ! python3 -c "import requests" 2>/dev/null; then
warn "requests module not found. Attempting to install..."
pip3 install requests --user
fiDeclare the dependency, pin versions, prefer a virtual environment, and ask the user before installing packages automatically.
Unexpected local shell commands could run while the skill is only expected to load an API key and search Twitter.
The script uses eval on a line read from the user's shell profile to load TWITTER_API_KEY; command substitutions or shell syntax in that line would execute when the wrapper runs.
eval "$(grep -E '^export TWITTER_API_KEY=' "$HOME/.bashrc" 2>/dev/null || true)"
Avoid eval; require the environment variable to already be set or parse the assignment safely without executing shell syntax.
A local user or diagnostic tool could potentially see the API key while the command is running.
The full API key is passed to the Python script as a command-line argument. This is purpose-aligned for the provider API, but API keys are sensitive and command-line arguments may be visible locally.
python3 "$SCRIPT_DIR/twitter_search.py" "$TWITTER_API_KEY" "$QUERY" \
Use a securely scoped API key, avoid pasting keys into chat, and prefer passing secrets through protected environment or config mechanisms rather than command-line arguments.