ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Media Parser

v1.0.0

解析 X/Twitter 帖子,获取图片和视频的下载直链。使用 vxtwitter API,无需登录。

1· 369·0 current·0 all-time
byIngress@ingress007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The parse.sh and SKILL.md align with the declared purpose: they call the vxtwitter API and extract image/video URLs. The provided aria2 integration is plausible for a download helper, but some defaults in x-aria-download.sh (see below) are unexpected and not justified in the documentation.
!
Instruction Scope
The scripts perform exactly the parsing and optional download described, but x-aria-download.sh writes /tmp/tweet.json and then makes JSON-RPC calls to an aria2 RPC endpoint. Instead of using the earlier-scripted RPC/SECRET/DIR fallbacks or honoring environment variables, the embedded Python hard-codes rpc_url='http://10.0.0.1:6800/jsonrpc', secret='88888888', and dir_path='/mnt/sda1/download/X'. This mismatch means the skill may contact an unexpected internal host and use a fixed secret; that behavior is outside the documented/expected scope.
Install Mechanism
There is no install spec and no external code downloads; the skill is instruction-only with bundled scripts. That reduces supply-chain risk compared to fetching remote archives.
!
Credentials
SKILL.md declares no required env vars, and the top of x-aria-download.sh sets RPC_URL/SECRET/DIR defaults, but the embedded Python ignores those and hard-codes RPC host, secret, and download directory. The presence of hard-coded network target and credential-like secret is disproportionate and unexplained.
Persistence & Privilege
The skill is not always-enabled and does not request persistent platform privileges or modify other skills' configurations. It runs as a user-invoked helper script, which is expected.
What to consider before installing
This skill's parser appears to do what it claims, but the bundled download helper (x-aria-download.sh) contains surprising hard-coded values: rpc_url set to http://10.0.0.1:6800, secret '88888888', and dir '/mnt/sda1/download/X', and the embedded Python does not use the ARIA2_* environment variables declared earlier. Before installing or running: 1) Inspect the scripts locally (don't run them as root). 2) Ask the author why the aria2 RPC is hard-coded to 10.0.0.1 and why a fixed secret is embedded; request a patch to use ARIA2_RPC_URL, ARIA2_SECRET, and ARIA2_DIR consistently. 3) If you want to use the download helper, either modify the script to point to your aria2 RPC endpoint/secret or run it in a sandboxed environment where network activity to internal hosts is acceptable. 4) Consider using parse.sh alone to obtain direct URLs and handle downloads with tools you control. If the author cannot explain or fix the hard-coded RPC/secret, treat the download helper as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ccg9zgq7bzbdb518bsf0td582b07j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

𝕏 Clawdis

Comments