Back to skill
Skillv1.0.14
ClawScan security
X (Twitter) API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 4:14 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (a single-key wrapper for X/Twitter data) aligns with its requirements and instructions, but the publisher/source is not well-known so you should verify vendor trust and billing before installing.
- Guidance
- This skill appears internally consistent for calling agntdata's X/Twitter proxy: it only needs curl and an AGNTDATA_API_KEY and documents the endpoints it will call. Before installing, verify you trust the agntdata service (app.agntdata.dev / api.agntdata.dev) — check its billing, data retention/privacy policy, and that the credit-based pricing fits your use. Do not reuse highly privileged or unrelated secrets as AGNTDATA_API_KEY. When first using it, test with a limited API key or sandbox account and monitor API/billing usage. If you need stronger assurance, prefer the official plugin mentioned in the README or contact the vendor for provenance (npm package, source repo, or org verification).
Review Dimensions
- Purpose & Capability
- okName/description describe a proxy/wrapper for X (Twitter) data; the only runtime requirements are curl and a single API key (AGNTDATA_API_KEY), which are exactly what such an integration would need.
- Instruction Scope
- okThe SKILL.md contains only API usage instructions: set AGNTDATA_API_KEY, call a registration endpoint, and invoke documented endpoints under https://api.agntdata.dev/v1/data/x. It does not instruct reading unrelated files, other environment variables, or system paths.
- Install Mechanism
- okThere is no install spec and no code files (instruction-only). That minimizes on-disk changes and execution of downloaded code; expected for this kind of skill.
- Credentials
- okOnly one credential (AGNTDATA_API_KEY) is required and declared as the primary credential. That is proportionate to the described API wrapper; no unrelated secrets or config paths are requested.
- Persistence & Privilege
- okalways:false and default autonomous invocation are set. The skill does not request permanent system-wide presence or modify other skills' configs. Autonomous invocation is normal for skills.