ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Twitter Video Download

v1.0.2

Download videos from Twitter/X posts. Just give it a tweet URL and it will download the video to your specified location.

0· 362·1 current·2 all-time
by@lemonpek66

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lemonpek66/twitter-video-download.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Twitter Video Download" (lemonpek66/twitter-video-download) from ClawHub.
Skill page: https://clawhub.ai/lemonpek66/twitter-video-download
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: PROXY_URL
Required binaries: python, pip
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install lemonpek66/twitter-video-download

ClawHub CLI

Package manager switcher

npx clawhub@latest install twitter-video-download
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose (download Twitter/X videos via yt-dlp) matches the implementation, but the declared required binaries are incomplete/inconsistent: the manifest lists python and pip (needed to install yt-dlp) but does not list node, yet the runtime is a Node script (download.mjs). A legitimate implementation would declare node (or not use Node).
Instruction Scope
SKILL.md instructions are narrowly scoped to downloading Twitter/X videos and installing yt-dlp. They do not request unrelated files or credentials. However the instructions (and registry metadata) mark PROXY_URL as required, while the script treats PROXY_URL as optional — this gives the skill broader assumed environment dependence than necessary.
Install Mechanism
There is no automatic install spec (instruction-only), and the README recommends installing yt-dlp via pip. No downloads from untrusted URLs or archive extraction are present in the package itself. This is low-risk but relies on the user running pip install yt-dlp manually.
!
Credentials
Registry metadata lists PROXY_URL as a required environment variable. The code only reads PROXY_URL optionally and continues if it's unset; proxy is only needed for users behind network restrictions. Marking it required is disproportionate. PROXY_URL may contain host/port or credentials — treat it as sensitive and only set if necessary.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or global settings. It runs a one-off yt-dlp process and writes files to the user-specified output directory.
What to consider before installing
This skill appears to implement the advertised feature, but there are a couple of mismatches you should address before installing or running it: - The Node script (download.mjs) requires Node to run, but the registry metadata does not declare node as a required binary. Ensure your environment provides Node (node/npm) or ask the author to update the metadata. - The manifest marks PROXY_URL as required, but the script treats it as optional (used only when set). Only set PROXY_URL if you need a proxy; avoid placing credentials in that variable unless you trust the source and understand where that proxy forwards traffic. - The skill spawns the yt-dlp executable to download remote media. yt-dlp will perform network requests to Twitter/X and possibly third-party hosts (CDNs). Only use this skill if you trust the author and the yt-dlp package you install (pip install yt-dlp from PyPI). Consider installing yt-dlp in a controlled environment (virtualenv) first. Recommended actions: 1) Request the author or maintainer to add 'node' to required binaries or provide a pure-Python implementation. 2) Ask them to mark PROXY_URL as optional in registry metadata so it isn't treated as mandatory. 3) Review the Node script locally (it is included) and test in a VM or isolated environment before giving it broad access to your filesystem. 4) If you must use a proxy, avoid embedding sensitive credentials in PROXY_URL unless necessary; prefer a local proxy or secure credential handling. Given these inconsistencies, treat the package with caution until the metadata and documentation are aligned with the actual runtime requirements.
scripts/download.mjs:7
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎬 Clawdis
Binspython, pip
EnvPROXY_URL
latestvk971c1pdefkzbgj3gd4x8jsjbd82w6t0
362downloads
0stars
3versions
Updated 12h ago
v1.0.2
MIT-0
@lemonpek66
latest
Download

Twitter Video Download

Download videos from Twitter/X posts using yt-dlp.

Setup

# Install yt-dlp
pip install yt-dlp

# Configure proxy (required for China users)
# Twitter/X is overseas, proxy is needed to access
# Please replace with your proxy address
setx PROXY_URL "http://your-proxy-address:port"

Usage in OpenClaw

Just tell me:

"Download this Twitter video: https://x.com/xxx/status/xxx"

Or specify a save location:

"Download video to D:\Videos: https://x.com/xxx/status/xxx"

I will automatically call this skill to execute the download.

Command Line Usage

# Enter skill directory
cd [skill_directory]\scripts

# Set proxy environment variable (replace with your proxy)
set PROXY_URL=http://your-proxy-address:port

# Download video
node download.mjs "https://twitter.com/username/status/123456789"

# Specify output directory
node download.mjs "https://twitter.com/username/status/123456789" --output "D:\Downloads"

# Specify filename
node download.mjs "https://twitter.com/username/status/123456789" --filename "my_video"

Options

  • -o, --output <path>: Output directory (default: current directory)
  • -f, --filename <name>: Custom filename (without extension)
  • -q, --quality <quality>: Video quality (best/bestvideo/worst)

Examples

node download.mjs "https://x.com/username/status/123456789" --output "D:\Downloads"

Security Notes

  • No shell execution: Uses spawn with shell: false for security
  • URL validation: Only accepts twitter.com and x.com URLs
  • Filename sanitization: Prevents path traversal attacks
  • Proxy validation: Validates proxy URL format before use
  • yt-dlp: Uses the well-known, trusted yt-dlp library

Notes

  • Supports twitter.com and x.com links
  • Supports GIF download (converted to MP4)
  • Proxy is required for China users, otherwise SSL connection error will occur
  • Videos are saved in MP4 format

💖 If this skill is useful for you, please give it a star on ClawHub to show your support! It helps others discover this skill too.

Comments

Loading comments...