Search X
PassAudited by ClawScan on May 1, 2026.
Overview
Search X appears purpose-aligned: it runs a bundled Node script to send user-requested X/Twitter searches to xAI using your API key.
This skill is reasonable to install if you are comfortable using xAI for X/Twitter search. Use a dedicated API key if possible, avoid sensitive searches, confirm Node is available from a trusted source, and verify the package/repository because the registry metadata is not perfectly consistent.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not run unless Node is available, and users should verify they are running the intended bundled script.
The runtime instructions require Node, while the registry lists no required binaries and no install spec. This is a metadata completeness/provenance note rather than hidden execution because the script is included and no remote installer is shown.
node {baseDir}/scripts/search.js "AI video editing"Declare Node as a required runtime, keep registry/SKILL/package versions consistent, and install only from a trusted package or repository.
Searches can consume the user's xAI API quota and operate under the user's xAI account.
The script uses an xAI API key from the environment or local config, including a generic xai fallback key. This is expected for xAI search, but it is account credential use.
if (process.env.XAI_API_KEY) { return process.env.XAI_API_KEY; } ... config?.skills?.entries?.['search-x']?.apiKey || config?.skills?.entries?.xai?.apiKeyUse a dedicated, revocable xAI API key where possible and monitor usage in the xAI console.
Search terms, handles, date filters, and related request metadata are shared with xAI.
The script sends the user's query and authorization token to xAI's Responses API. This external provider call is disclosed and central to the skill's purpose, but it is still a data boundary users should notice.
const API_BASE = 'api.x.ai'; ... path: '/v1/responses' ... input: `${systemPrompt}\n\nSearch X/Twitter for: ${options.query}` ... 'Authorization': `Bearer ${apiKey}`Avoid searching for confidential or sensitive internal topics unless sharing them with xAI is acceptable under your policies.