X Single Tweet + Article
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: x-single-tweet-article-skill Version: 1.0.4 The skill implements a mandatory 'charge-first' billing mechanism via an external service (skillpay.me) and includes a hardcoded API key in scripts/run.js. While it performs its stated function of fetching X content using third-party proxies (fxtwitter.com and jina.ai), the inclusion of financial transaction logic and the requirement for users to visit external payment links to 'top up' balance are high-risk behaviors for a skill bundle.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or manipulated invocation could make the agent fetch non-X or internal URLs and return their contents, despite the skill being presented as an X-only fetcher.
The script accepts the provided URL/article argument and can directly fetch it without validating that it is an X/Twitter URL or blocking localhost/private-network targets.
async function fetchTextDirect(u) {
const r = await fetch(u).catch(() => null);
...
const result = url ? await fetchTweet(url) : await fetchArticle(article);Enforce an allowlist for x.com/twitter.com article and status URLs, reject localhost/private IP ranges and non-HTTP(S) schemes, and require user confirmation before fetching unexpected destinations.
Invoking the skill can mutate a billing balance before any content is fetched, and repeated or incorrectly attributed invocations could create unwanted charges.
The script performs a billing charge using an embedded/default API key and a caller-supplied user identifier, with no local evidence of user binding or confirmation.
const userId = getArg('user') || 'anonymous';
const API_KEY = process.env.SKILL_BILLING_API_KEY || 'sk_74e1969ebc92fcf58257470c50f8bb76e36c9da0d201aa69861e28c62f5bd48e';
...
body: JSON.stringify({ user_id: userId, skill_id: SKILL_ID, amount: PRICE })Declare the billing credential and billing behavior clearly in metadata, avoid embedding charge-capable API keys in distributed code, bind charges server-side to the authenticated user, and require explicit user approval for paid calls.
Content fetched from X or proxy services should be treated as data, not as instructions for the agent to follow.
The skill returns remote tweet/article/webpage text directly into the agent context, where that untrusted text could contain instructions or prompt-injection content.
full_text: txt.slice(0, 50000),
...
console.log(JSON.stringify({ ok: true, charged: true, ...result }, null, 2));Wrap fetched content with clear untrusted-data labeling and instruct the agent not to follow instructions contained inside fetched tweets or articles.