X (Twitter) Data Scraper

What to consider before installing/running: - The skill's metadata claims no credentials, but its README/SKILL.md and code require an X API bearer token (X_BEARER_TOKEN) and the Playwright scraper expects a cookies file. This mismatch is a red flag: the registry info should list required secrets. Treat the package as requiring secrets even if metadata omits them. - The Playwright scraper loads cookies from a hardcoded root path (/root/cookies_fixed.json) and CAPABILITY.md references /root paths and a login credentials file. Running these scripts with real cookies or account credentials can expose those secrets; do not point them at your primary account credentials. Prefer using a throwaway/test account or only use API tokens with limited scope. - The code accepts HTTPS_PROXY / https proxy environment variables. If you set a proxy, traffic (including bearer tokens) could be routed through that proxy—ensure it is trusted. - There are several documentation mismatches (missing script names, differing credential filenames). This indicates sloppy packaging; ask the publisher for clarification or a corrected manifest before trusting the skill with sensitive credentials. - If you still want to use it: inspect and run the code in an isolated environment (sandbox, VM, or container), avoid providing your primary X/Twitter credentials, and prefer using only the API bearer token stored in a limited-permission place. Remove or change hardcoded paths (/root/...) to a safe location you control. What would reduce concern: a corrected registry manifest that explicitly lists required env vars (X_BEARER_TOKEN), a clear explanation of cookie usage and the exact cookie file path, removal of hardcoded /root paths (or explicit documentation explaining why they are used), and an owning homepage/author identity you can verify.