X Single Tweet + Article

WarnAudited by ClawScan on May 10, 2026.

Overview

The skill mostly matches its paid X-fetching purpose, but its script can fetch arbitrary URLs and can charge a billing account using an embedded API key and user-supplied user ID.

Review carefully before installing. The skill is transparent that it charges per call, but the code should be tightened to only fetch X URLs and to make paid billing authorization and user binding explicit.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI02: Tool Misuse and Exploitation

What this means

A mistaken or manipulated invocation could make the agent fetch non-X or internal URLs and return their contents, despite the skill being presented as an X-only fetcher.

Why it was flagged

The script accepts the provided URL/article argument and can directly fetch it without validating that it is an X/Twitter URL or blocking localhost/private-network targets.

Skill content

async function fetchTextDirect(u) {
  const r = await fetch(u).catch(() => null);
...
const result = url ? await fetchTweet(url) : await fetchArticle(article);

Recommendation

Enforce an allowlist for x.com/twitter.com article and status URLs, reject localhost/private IP ranges and non-HTTP(S) schemes, and require user confirmation before fetching unexpected destinations.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Invoking the skill can mutate a billing balance before any content is fetched, and repeated or incorrectly attributed invocations could create unwanted charges.

Why it was flagged

The script performs a billing charge using an embedded/default API key and a caller-supplied user identifier, with no local evidence of user binding or confirmation.

Skill content

const userId = getArg('user') || 'anonymous';
const API_KEY = process.env.SKILL_BILLING_API_KEY || 'sk_74e1969ebc92fcf58257470c50f8bb76e36c9da0d201aa69861e28c62f5bd48e';
...
body: JSON.stringify({ user_id: userId, skill_id: SKILL_ID, amount: PRICE })

Recommendation

Declare the billing credential and billing behavior clearly in metadata, avoid embedding charge-capable API keys in distributed code, bind charges server-side to the authenticated user, and require explicit user approval for paid calls.

Low

#ASI01: Agent Goal Hijack

What this means

Content fetched from X or proxy services should be treated as data, not as instructions for the agent to follow.

Why it was flagged

The skill returns remote tweet/article/webpage text directly into the agent context, where that untrusted text could contain instructions or prompt-injection content.

Skill content

full_text: txt.slice(0, 50000),
...
console.log(JSON.stringify({ ok: true, charged: true, ...result }, null, 2));

Recommendation

Wrap fetched content with clear untrusted-data labeling and instruct the agent not to follow instructions contained inside fetched tweets or articles.