X Hourly Brief
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent as a paid X-post briefing tool, but its script embeds a billing API key and charges a user-specified account before doing the work.
Review this carefully before installing. It is a paid skill that charges before doing the brief, includes a hardcoded billing key, and relies on external services to fetch X content. Only run it if you trust the publisher and billing endpoint, and avoid providing private or sensitive URLs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can spend or alter billing balance for the supplied user ID, and the bundled key makes the billing authority difficult for users to validate or scope.
The script includes a hardcoded billing API key fallback and uses it to charge a billing account identified by a command-line user ID. This is high-impact account authority, and the registry metadata declares no primary credential or required env vars.
const API_KEY = process.env.SKILL_BILLING_API_KEY || 'sk_74e1969ebc92fcf58257470c50f8bb76e36c9da0d201aa69861e28c62f5bd48e'; ... headers: { 'content-type': 'application/json', 'x-api-key': API_KEY }, body: JSON.stringify({ user_id: userId, skill_id: SKILL_ID, amount: PRICE_TOKEN })Do not use this unless you trust the publisher and billing endpoint. The developer should remove hardcoded secrets, declare credential requirements, bind charges to an authenticated platform user, and require clear per-call billing consent.
A call may be charged before the script knows whether any requested post can be fetched or summarized.
The script performs billing before fetching or summarizing any X URLs. This matches the advertised charge-first model, but users should notice that invocation itself triggers the paid action.
const c = await charge(); ... for (const u of urls.slice(0, 20)) { const t = await fetchText(u);Invoke it only when you intend to pay for that run; the developer should add clearer confirmation and refund/error behavior for failed fetches.
The X post URLs you provide may be sent to external fetch/proxy services in addition to X itself.
The skill fetches content through third-party services r.jina.ai and api.fxtwitter.com. This is purpose-aligned for retrieving public X post text, but these providers are not called out in SKILL.md.
const toJina = (u) => `https://r.jina.ai/http://${u.replace(/^https?:\/\//, '')}`; ... if (!t && id) t = await tryFetch(`https://api.fxtwitter.com/i/status/${id}`)Use only public or non-sensitive URLs, and the developer should disclose all external providers used for retrieval.