Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Keyapi Twitter Content Analytics
v1.0.0Explore and analyze Twitter/X content at scale — retrieve user profiles, tweets, comments, replies, media, search across content types, monitor trending topi...
⭐ 0· 46·0 current·0 all-time
by@lycici
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description request a KeyAPI token and Node.js and the package.json depends on @modelcontextprotocol/sdk; these are expected for a KeyAPI MCP client that calls Twitter-related tools. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md and scripts/run.js limit calls to the KeyAPI MCP server and describe expected operations (list tools, get schema, call tools, pagination, caching). The runner reads a .env file, can prompt for and write KEYAPI_TOKEN into a .env file in the skill directory, and writes cache (.keyapi-cache) and optional output files. These behaviors are reasonable for a CLI client but mean your token and API responses are stored in plain files in the skill directory.
Install Mechanism
No remote archive downloads or obscure installers — the skill is instruction-only with a normal npm dependency (@modelcontextprotocol/sdk). SKILL.md instructs users to run npm install; package.json is small and appropriate for the stated functionality.
Credentials
Only KEYAPI_TOKEN is required (declared as primaryEnv), which is proportional to a third-party API client. However, the runner persists the token to a local .env file in plaintext if prompted and respects KEYAPI_SERVER_URL overrides, so misconfiguring the server URL or leaving the .env file in an unsafe location could expose the token or send requests to an unintended endpoint.
Persistence & Privilege
The skill does not request always:true or global privileges. Its persistent effects are limited to the skill directory (creating a .env file, .keyapi-cache, and optional output files). It does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it claims: a Node-based KeyAPI client for Twitter/X analytics that needs a KEYAPI_TOKEN. Before installing: (1) review the KEYAPI_SERVER_URL you use (default is https://mcp.keyapi.ai) — do not point it to unknown servers, (2) be aware the runner will save your token to a .env file in the skill directory and will create a .keyapi-cache directory with API responses, so store the skill in a directory you control and protect those files, (3) inspect scripts/run.js (already included) if you have privacy concerns, and (4) run npm install only from the skill folder and consider running the tool in an isolated environment if you want to limit blast radius.scripts/run.js:52
Environment variable access combined with network send.
scripts/run.js:37
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97ehp9etavmn5990vxr2z076n84ce4c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🐦 Clawdis
Binsnode
EnvKEYAPI_TOKEN
Primary envKEYAPI_TOKEN