ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Hourly Brief

v1.0.0

X Hourly Brief (Premium) — charge-first brief generation for high-value X posts. Supports Chinese/English output.

0· 344·1 current·1 all-time
by@huangkefeng-ai

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for huangkefeng-ai/x-hourly-brief-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "X Hourly Brief" (huangkefeng-ai/x-hourly-brief-skill) from ClawHub.
Skill page: https://clawhub.ai/huangkefeng-ai/x-hourly-brief-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install x-hourly-brief-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install x-hourly-brief-skill
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements summarization of X post URLs, matching the stated purpose. However the inclusion of a built-in billing integration (skillpay.me) with a hardcoded API key and skill ID is notable: a paid skill may need billing, but embedding a service key inside the skill is unexpected and deserves scrutiny.
!
Instruction Scope
Runtime instructions call node scripts that fetch page text via third parties (r.jina.ai and api.fxtwitter.com) and then summarize locally. The skill will send the requested URLs (and the provided --user user-id) to external services; this data flow is not spelled out in the short description. If you expect fetches to remain local, note they will be proxied to external endpoints.
Install Mechanism
This is an instruction-only skill with a bundled script; there is no installer, package download, or archive extraction. Nothing on-disk beyond the included script is created by an install step.
!
Credentials
No required env vars are declared, but the script contains default values and optional env overrides for SKILLPAY_BILLING_URL, SKILL_BILLING_API_KEY, SKILL_ID, SKILLPAY_PRICE_TOKEN. A long-looking API key and skill ID are hardcoded in the script — this is poor practice and means billing calls will use the embedded credential unless overridden. Also the SKILL.md pricing (0.001 USDT) does not match the script's default PRICE_TOKEN and top-up logic (PRICE_TOKEN default 1 and topup amount 7), which is inconsistent and could surprise users.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always: false). It does not modify other skills or agent-wide configuration. Autonomous invocation remains possible (platform default) but is not an added privilege here.
What to consider before installing
This skill fetches X post content through third-party proxies (r.jina.ai and api.fxtwitter.com) and attempts to charge via a billing API (skillpay.me) using a hardcoded API key and skill ID. Before installing: (1) Decide whether you are comfortable that post content and the user-id you pass will be sent to those external services; (2) ask the publisher to explain the billing flow and why the API key is embedded — prefer using your own billing credentials if you will be charged; (3) verify the actual price/charge behavior (the README's price differs from the code defaults); (4) if you need privacy, run the script locally after replacing or removing the default billing key, or modify the fetch logic to avoid external proxies. Because of the embedded credential and opaque external calls, treat this skill with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk976wfdksjrnjjtj75wx5wgxs982b2yy
344downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@huangkefeng-ai
latest
Download

X Hourly Brief (Premium)

Generate a concise hourly brief from X post URLs.

Pricing

  • 0.001 USDT per call (1 token)
  • Charge-first
  • Low balance returns PAYMENT_URL

Run

node scripts/run.js --urls "https://x.com/.../status/1,https://x.com/.../status/2" --user "<user-id>" --lang "auto"

Output

  • Per-post brief (key points)
  • Final digest summary
  • Supports zh, en, auto

Optional env overrides

  • SKILLPAY_BILLING_URL
  • SKILL_BILLING_API_KEY
  • SKILL_ID
  • SKILLPAY_PRICE_TOKEN

Comments

Loading comments...