X Tweet Fetcher
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A fetched tweet or article could contain text that tries to influence the agent if the agent treats it as instructions.
The skill returns externally sourced tweet and article text into the agent context. This is core to the skill, but that text may contain instructions or prompt-injection content from untrusted public posts.
"text": tweet.get("text", ""), ... article_data["full_text"] = full_textUse the fetched content as data only; do not let tweet or article text override the user's task, tool choices, or safety rules.
FxTwitter can observe which public tweet URLs are requested through this skill.
The script sends the requested tweet username and ID to the third-party FxTwitter API. This provider use is disclosed and purpose-aligned, and no credentials or local data are sent.
api_url = f"https://api.fxtwitter.com/{username}/status/{tweet_id}" ... urllib.request.urlopen(req, timeout=15)Avoid using it for tweet lookups you consider sensitive, and be aware that availability and behavior depend on FxTwitter.
The skill may not run on systems without Python even though the registry requirements list no binaries.
The docs require a Python runtime while the registry requirement list declares no required binaries. This is an operational metadata gap, not evidence of hidden install behavior.
- Python 3.7+\n- No external packages (stdlib only)
Confirm Python 3.7 or newer is available before installing or invoking the skill.