ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Search 1.0.0

v1.0.0

Search X (Twitter) posts using the xAI API. Use when the user wants to find tweets, search X/Twitter, look up what people are saying on X, or find social med...

0· 51·0 current·0 all-time
by@github2cao·duplicate of @perfectworldltd/x-search-1-0-0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binary (python3), and required env var (XAI_API_KEY) align with contacting the x.ai Responses (Grok) API to perform searches. The API endpoint (https://api.x.ai/v1/responses) and model usage in code match the stated purpose.
Instruction Scope
SKILL.md instructs only to set XAI_API_KEY and run the included script, which is what the code does. Minor inconsistency: SKILL.md suggests you can set skills."x-search".apiKey or skills."x-search".env.XAI_API_KEY in ~/.openclaw/openclaw.json, but the provided search.py reads only the XAI_API_KEY environment variable and does not read that config file. Also the _meta.json ownerId differs from the registry ownerId in the supplied metadata (two different owner IDs), which is a metadata mismatch worth checking with the publisher.
Install Mechanism
Install spec is a single Homebrew formula for python (standard). No downloads from unknown hosts and no archive extraction; code files are included in the skill package.
Credentials
The skill requests one credential (XAI_API_KEY) which is the expected credential for the xAI API. No other secrets or unrelated environment variables are required.
Persistence & Privilege
The skill does not request always:true and is user-invocable; it does not modify other skills or system configs. It runs on demand and only needs the environment variable to operate.
What to consider before installing
This skill appears to do what it says (search X via xAI/Grok) and only needs your XAI_API_KEY and python3. Before installing: 1) Confirm you trust the skill publisher — the package metadata includes two different ownerId values (registry vs _meta.json) which you may want to verify. 2) Note SKILL.md mentions storing the key in ~/.openclaw/openclaw.json, but the script only reads XAI_API_KEY from the environment — if you set the key only in the JSON config it may not be picked up. 3) Limit the API key's permissions if possible and check your x.ai console for usage after first runs. 4) You can review and run the included tests (scripts/test_search.py) locally to confirm behavior before giving the key to this environment. 5) If you need higher assurance, ask the publisher to reconcile the ownerId mismatch and confirm whether the skill intends to read ~/.openclaw/openclaw.json.

Like a lobster shell, security has layers — review code before you run it.

latestvk971a4rxerrm5f3d9d0a9wmrhh840570

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

𝕏 Clawdis
Binspython3
EnvXAI_API_KEY
Primary envXAI_API_KEY

Install

Install Python (brew)
Bins: python3
brew install python

Comments