Opentwitter
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: opentwitter-2 Version: 0.1.0 The skill bundle is designed to interact with the '6551 API' for Twitter/X data, requiring a `TWITTER_TOKEN` environment variable for authentication. All `curl` commands in `SKILL.md` are directed to `https://ai.6551.io` endpoints, sending the token and JSON payloads consistent with the stated purpose. There is no evidence of data exfiltration to unauthorized destinations, arbitrary command execution, persistence mechanisms, or prompt injection attempts against the agent. The behavior is transparent and aligns with a standard API integration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the documented commands to query Twitter/X-related data through the 6551 API.
The skill exposes direct curl-based API operations. This is purpose-aligned for an API data skill, but users should understand that requests are made directly to the external service.
curl -s -X POST "https://ai.6551.io/open/twitter_search" ... -H "Authorization: Bearer $TWITTER_TOKEN"
Use the skill for intended queries only and review requested usernames, search terms, and limits before allowing broad automated use.
Anyone or any agent process using this skill with the environment variable can make authenticated 6551 API requests under that token.
The skill requires a bearer token for the 6551 API. This is disclosed and expected, but the token is still delegated account authority.
All endpoints require a Bearer token via `$TWITTER_TOKEN`.
Provide a scoped token if available, keep it out of logs and shared sessions, and revoke it if you stop using the skill.
Users have less registry-level context for who maintains the skill and where to verify it.
The package provenance is not fully described. There is no included executable code beyond instructions, so this is a provenance notice rather than a concrete unsafe behavior.
Source: unknown; Homepage: none
Verify that the publisher and 6551 API endpoint are trusted before installing or providing a token.
Twitter/X usernames, search terms, and the bearer token are transmitted to the 6551 API when the skill is used.
The skill sends authenticated requests and query parameters to an external provider. This is disclosed and purpose-aligned, but it is a data boundary users should notice.
**Base URL**: `https://ai.6551.io`
Do not send sensitive private inputs as search parameters unless you are comfortable sharing them with the provider.