X Research But Cheaper
Security checks across malware telemetry and agentic risk
Overview
This appears to be a coherent read-only X/Twitter research tool, with normal cautions around its API key, provider calls, local caching, and npx-based runner.
This skill looks reasonable if you intend to use TwitterAPI.io for X/Twitter research. Before installing, make sure you are comfortable with paid API usage, provider visibility into your search queries, local cache/watchlist files, and the `npx tsx` runner; set the API key securely and review broad agent-generated searches.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A broad or repeated research request could consume TwitterAPI.io credits or retrieve more public X data than the user intended.
Searches can perform repeated provider API calls based on command flags. This is purpose-aligned, but it is a paid API workflow and users should keep generated page counts and deep-research commands scoped.
const pages = quick ? 1 : nflag('pages', 3); ... for (let p = 0; p < effectivePages; p++) { const result = await searchTweets(q, cursor, queryType);Review agent-generated commands before deep searches, set explicit `--pages` and `--limit` values, and consider adding a hard page cap in the code.
Running the skill may depend on an external, unpinned package runner, which adds normal npm supply-chain exposure.
The documented command uses `npx tsx` while the skill does not vendor or pin `tsx`; if it is not already installed, npx may run a package from npm at runtime.
npx tsx x-search.ts search "<query>" [options] ... No `npm install` needed — zero dependencies.
Install and pin a reviewed `tsx` version locally, or ship a compiled JavaScript entry point so the skill does not rely on dynamic npx resolution.
The API key authorizes paid TwitterAPI.io usage, so misuse or logging of the environment could expose the account or consume credits.
The skill reads a provider API key from the environment and uses it in TwitterAPI.io requests. This is expected for the integration and no hardcoded or printed key is shown in the visible code.
const k = process.env.TWITTERAPI_KEY; ... return { 'X-API-Key': getKey(), 'Content-Type': 'application/json' };Set the key as an environment variable rather than inline in commands, monitor provider usage, and avoid sharing agent logs that may include environment setup details.
Search terms and requested accounts or tweets are visible to the provider, even though the data being retrieved is generally public X/Twitter content.
The tool sends search queries, usernames, tweet IDs, and other request parameters to the disclosed TwitterAPI.io provider. This is central to the skill's purpose.
const BASE = 'https://api.twitterapi.io'; ... const res = await fetch(url.toString(), { headers: headers() });Do not put private or confidential information into search queries unless you are comfortable sending it to TwitterAPI.io.
Later sessions or local users with filesystem access may see cached research results or saved outputs, and stale cached results may influence future analysis until cleared.
Fetched API results are stored in a local cache under the skill directory. This is disclosed and used to reduce repeat API charges, but it creates persistent local research artifacts.
const CACHE_DIR = join(__dirname, '..', '..', 'data', 'cache'); ... writeFileSync(file, JSON.stringify(data));
Use the documented cache clear command when needed and avoid saving sensitive research outputs on shared machines.