Vincent - Twitter
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears purpose-aligned for Twitter/X data lookup through Vincent, but users should notice it creates a stored Vincent key, runs an unpinned npx CLI, and can spend Vincent credits per call.
Install only if you are comfortable letting the agent use Vincent's proxy to make paid Twitter/X data requests. Claim the generated secret, limit available credit or payment exposure, monitor remaining credit, and consider pinning or verifying the Vincent CLI package before use.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may consume Vincent credits while performing Twitter/X searches or lookups.
The skill intentionally lets the agent make paid Vincent API calls on the user's behalf, which is expected for the service but should be understood before installation.
This skill is designed for **autonomous agent operation with pay-per-call pricing and human oversight**.
Use a limited credit balance, monitor `_vincent.creditRemainingUsd`, and ask the agent to confirm before broad or repeated searches if cost matters.
Anyone or any agent with access to the stored Vincent key may be able to use the associated Vincent data-source credit until it is revoked.
The skill creates and persists a scoped Vincent bearer token for future data-source calls. This is disclosed and tied to the stated integration, but it is still delegated account authority.
the agent creates a `DATA_SOURCES` secret at runtime ... The CLI stores the returned API key automatically during creation.
Claim the secret, keep the credential path protected, limit available credit or payment settings, and revoke the key from Vincent when no longer needed.
A future CLI release could change behavior, cost handling, or credential handling without this SKILL.md changing.
The skill's examples execute the Vincent CLI from npm using the floating `@latest` version. This is central to the skill, but the exact code version can change over time.
npx @vincentai/cli@latest twitter search --key-id <KEY_ID> --q bitcoin --max-results 10
Prefer pinning a reviewed CLI version where possible, or verify the Vincent CLI package/source before using it with stored credentials or payment-backed credit.