ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Single Tweet + Article

v1.0.4

Fetch a single X tweet or X Article with charge-first billing (0.001 USDT/call).

0· 327·1 current·1 all-time
by@huangkefeng-ai
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's code implements a charge-first fetcher for an X tweet or X Article as advertised, but it embeds a hard-coded billing API key and SKILL_ID in the script instead of requiring/declaring them as credentials in the manifest. That hidden credential is not explained in the description and gives the code immediate ability to call the billing API.
Instruction Scope
SKILL.md only instructs running node scripts/run.js with URL/article args. The runtime script does only network operations (billing calls and web fetches) and does not read local files or unrelated environment state — that is within scope. However, it calls three external services (skillpay.me billing, r.jina.ai proxied fetch, api.fxtwitter.com) which the SKILL.md does not fully document.
Install Mechanism
No install spec is provided and the skill is instruction+script only, so nothing is written to disk at install time beyond the included script. This is the lowest install risk.
!
Credentials
The manifest lists no required credentials, yet the script contains an embedded API key (sk_74e1...) and SKILL_ID and uses a default billing URL. The SKILL.md lists optional env overrides, but embedding a secret and not declaring a primary credential is disproportionate and surprising. Also the observable pricing in code (PRICE default '1' and top-up amount 7) does not match the documented 0.001 USDT/call, which is inconsistent and could lead to unexpected charges.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and will not be force-enabled. It runs as invoked and does not persist privileges on the host.
What to consider before installing
This skill appears to implement the advertised functionality, but exercise caution before installing or using it: - The script contains a hard-coded billing API key and skill ID (not declared in the manifest). That key can be used to create charges via the billing endpoint (https://skillpay.me). Ask the publisher who owns that key and why it is embedded. Prefer skills that require you to provide the billing credential as an environment variable instead of shipping one in code. - The documented price (0.001 USDT/call) does not match values in the code (PRICE defaults to 1, top-up minimum 7). Confirm the actual cost and billing behaviour before calling the skill with a live/personal account. - The skill contacts three external services (skillpay.me, r.jina.ai, api.fxtwitter.com). Verify you accept those network calls and that the billing provider and proxy are trustworthy. - If you must use it: run it in a disposable/test environment first, do not use with sensitive account credentials, and ask the author to remove embedded secrets and to publish source or a trusted registry listing. Consider requesting the publisher rotate the embedded key (or better, remove it) and provide clear published billing terms.

Like a lobster shell, security has layers — review code before you run it.

latestvk971v05k2qvj7wdt6cjby239gx82b5ba
327downloads
0stars
5versions
Updated 8h ago
v1.0.4
MIT-0
@huangkefeng-ai
latest
Download

X Single Tweet + Article (Premium)

Charge-first fetcher for:

  • single X tweet
  • single X Article

Pricing

  • 0.001 USDT per call
  • If balance is insufficient: returns PAYMENT_URL as a top-up link (no charge is made)

Run

# Tweet
node scripts/run.js --url "https://x.com/user/status/123" --user "user-1"

# X Article
node scripts/run.js --article "https://x.com/i/article/xxxxx" --user "user-1"

Optional env overrides

  • SKILLPAY_BILLING_URL
  • SKILL_BILLING_API_KEY
  • SKILL_ID
  • SKILLPAY_PRICE_TOKEN

Comments

Loading comments...