Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
X Master
v1.0.0Master routing skill for all X/Twitter operations — reading, researching, posting, and engaging. Routes to the correct sub-tool based on the task. Covers rea...
⭐ 0· 194·1 current·1 all-time
byJeremy Knows@jeremyknows
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a routing layer for X/Twitter operations and, as an instruction-only skill, it routes reads to a third-party proxy (api.fxtwitter.com) and routes posting to optional sub-skills. That overall design is plausible and proportionate for a router. Minor mismatch: the skill metadata and registry show no required env vars, yet the README/SKILL.md document optional X credentials and posting scripts—reasonable for optional posting but worth noting (the skill itself does not declare or require credentials).
Instruction Scope
Runtime instructions require the agent to always send x.com/twitter.com URLs to the public fxtwitter API (https://api.fxtwitter.com/...), and the README instructs creating a .env with X_BEARER_TOKEN / OAuth secrets for sub-skills. Those env vars are not declared in the skill metadata. Importantly, this routing design sends user-provided tweet URLs (and potentially content) to a third-party service, which is a data-exposure decision the installer should accept explicitly. The skill also references posting scripts and sub-skills that are not bundled; you should audit those before allowing posting actions.
Install Mechanism
Instruction-only (no install spec, no code files executed by the platform). This is low-risk from a disk/execution perspective. The README suggests cloning a repo or installing sub-skills with 'clawhub'—these are out-of-band steps the user would run; they are not automated by the skill. Verify the source of any sub-skill installs before running them.
Credentials
The skill declares no required env vars, but its README and SKILL.md instruct users to populate X API credentials (X_BEARER_TOKEN, X_OAUTH_TOKEN/SECRET) and optional keys for sub-skills (XAI_API_KEY, SCRAPECREATORS_API_KEY). Requesting those credentials is proportionate only if you intend to perform posting or direct API operations; however, the skill does not surface these as required fields in the registry metadata, which creates a gap between declared requirements and runtime instructions. Sensitive credentials will be used by sub-skills or posting scripts—audit those components and store credentials securely.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It is an instruction-only router and does not modify other skills or agent configs. Autonomous invocation is permitted by default (platform default) but not combined with any 'always: true' or other persistent privileges.
What to consider before installing
This skill is a documentation-based router that tells the agent to fetch tweet content via the public fxtwitter API and to delegate posting to external scripts/sub-skills. Before installing or using it: 1) Accept that reading any x.com/twitter.com URL will be proxied to https://api.fxtwitter.com (a third-party server) — this exposes URLs and derived content to that service; verify you are comfortable with that and with its privacy/ToS. 2) If you plan to post, audit any posting scripts (scripts/x-post.js) and the sub-skills (xurl, x-engage, etc.) before providing X API tokens; do not put production credentials into an unaudited repo or shared .env. 3) Confirm the origin and source repository for this skill (homepage/source are missing here); prefer skills from known authors or review the repo history. 4) Treat X_BEARER_TOKEN/OAuth secrets as sensitive — only provide them after reviewing the code that will use them and prefer scoped, least-privilege credentials. If you only need read-only functionality and are uncomfortable sending data to the public fxtwitter instance, consider alternative approaches (official X API via xurl or local fetching behind an approved proxy).Like a lobster shell, security has layers — review code before you run it.
latestvk97d722447mg6qdrrq85s50byh82xavg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.