X Research But Cheaper
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: x-research-but-cheaper Version: 1.0.1 The OpenClaw AgentSkills bundle 'x-research-but-cheaper' is designed for X/Twitter research via TwitterAPI.io. All network communication is directed to the legitimate `https://api.twitterapi.io` endpoint. API keys (`TWITTERAPI_KEY`) are read from environment variables, and the `README.md` provides explicit security warnings regarding potential logging by AI agents, recommending secure handling. File system operations for caching (`scripts/lib/cache.ts`) and saving output (`scripts/x-search.ts`) are confined to the skill's `data/` directory, and filenames are sanitized to prevent path traversal. There is no evidence of data exfiltration to unauthorized endpoints, persistence mechanisms, or prompt injection designed to subvert the AI agent for malicious purposes.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A broad or repeated research request could consume TwitterAPI.io credits or retrieve more public X data than the user intended.
Searches can perform repeated provider API calls based on command flags. This is purpose-aligned, but it is a paid API workflow and users should keep generated page counts and deep-research commands scoped.
const pages = quick ? 1 : nflag('pages', 3); ... for (let p = 0; p < effectivePages; p++) { const result = await searchTweets(q, cursor, queryType);Review agent-generated commands before deep searches, set explicit `--pages` and `--limit` values, and consider adding a hard page cap in the code.
Running the skill may depend on an external, unpinned package runner, which adds normal npm supply-chain exposure.
The documented command uses `npx tsx` while the skill does not vendor or pin `tsx`; if it is not already installed, npx may run a package from npm at runtime.
npx tsx x-search.ts search "<query>" [options] ... No `npm install` needed — zero dependencies.
Install and pin a reviewed `tsx` version locally, or ship a compiled JavaScript entry point so the skill does not rely on dynamic npx resolution.
The API key authorizes paid TwitterAPI.io usage, so misuse or logging of the environment could expose the account or consume credits.
The skill reads a provider API key from the environment and uses it in TwitterAPI.io requests. This is expected for the integration and no hardcoded or printed key is shown in the visible code.
const k = process.env.TWITTERAPI_KEY; ... return { 'X-API-Key': getKey(), 'Content-Type': 'application/json' };Set the key as an environment variable rather than inline in commands, monitor provider usage, and avoid sharing agent logs that may include environment setup details.
Search terms and requested accounts or tweets are visible to the provider, even though the data being retrieved is generally public X/Twitter content.
The tool sends search queries, usernames, tweet IDs, and other request parameters to the disclosed TwitterAPI.io provider. This is central to the skill's purpose.
const BASE = 'https://api.twitterapi.io'; ... const res = await fetch(url.toString(), { headers: headers() });Do not put private or confidential information into search queries unless you are comfortable sending it to TwitterAPI.io.
Later sessions or local users with filesystem access may see cached research results or saved outputs, and stale cached results may influence future analysis until cleared.
Fetched API results are stored in a local cache under the skill directory. This is disclosed and used to reduce repeat API charges, but it creates persistent local research artifacts.
const CACHE_DIR = join(__dirname, '..', '..', 'data', 'cache'); ... writeFileSync(file, JSON.stringify(data));
Use the documented cache clear command when needed and avoid saving sensitive research outputs on shared machines.