ClawHub

X Smart Read

v2.0.4

Personal X (Twitter) analytics — timeline engagement, mentions, follower tracking, read any tweet/thread, bookmarks, and combined briefings via X API v2. Cos...

0· 518·0 current·0 all-time
byAaron McLachlan@nevaaron
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose is X (Twitter) analytics and the code and docs clearly require X API credentials (API Key/Secret, Access Token/Secret, Bearer Token) and will store config under ~/.openclaw/skills-config/x-twitter/. However the registry metadata declares no required environment variables or primary credential. That mismatch (declaring 'none' while the scripts and SETUP.md expect and persist five credentials) is a material incoherence and should be resolved before trusting the package.
Instruction Scope
SKILL.md and the scripts are narrowly scoped to calling the X API via tweepy, caching results to a local data directory, and printing summaries. The runtime instructions explicitly warn about costs and include budget guards. Two behavioral notes: (1) the skill provides --force and --no-budget flags that let a caller bypass budget blocking/warnings (so an agent could be instructed to spend freely), and (2) setup imports credentials from ~/.openclaw/.env or prompts interactively and then writes a config.json — this means secrets move onto disk. The scripts do not read unrelated system files or contact unknown external endpoints.
Install Mechanism
There is no formal install spec in the registry (the package is instruction/code-only). The docs instruct users to install 'uv' and show a curl | sh command for uv (https://astral.sh/uv/install.sh). That installer invocation is documented (not executed automatically by the skill) and is a common but higher-risk pattern because it pulls a remote install script. The packaged Python scripts use tweepy and run via 'uv run', which is consistent with the documented workflow.
!
Credentials
Although the registry lists no required env vars, SETUP.md and the scripts expect and document five X credentials (API Key & Secret, Access Token & Secret, Bearer Token) and a local config file. The skill will store those secrets under ~/.openclaw/skills-config/x-twitter/config.json (SETUP.md says permissions 0600). The omission of these required secrets from metadata is disproportionate and misleading. Also the ability to disable budget checks (--no-budget, --force) increases the risk of unexpected spend if an agent calls the skill autonomously.
Persistence & Privilege
The skill persists data and credentials only under its own directory (~/.openclaw/skills-config/x-twitter/) and the docs state config is saved with restrictive permissions. It does not request always:true and will not be force-included. This is expected for a personal analytics tool. The noteworthy point: stored credentials and cached tweets/mentions/bookmarks are persistent on disk — review config.json and data/ files and ensure filesystem protections meet your security requirements.
What to consider before installing
This package implements X/Twitter analytics and requires your X API credentials, but the skill metadata incorrectly lists no required environment variables — treat that as a red flag. Before installing: (1) verify the source repository (homepage is missing and owner id is opaque); (2) inspect scripts/x_setup.py to confirm how keys are stored and that they are saved only to ~/.openclaw/skills-config/x-twitter/config.json with restrictive permissions; (3) be cautious about running the 'curl | sh' installer for uv — fetch the script and review it before executing; (4) if you allow an AI agent to invoke skills autonomously, consider restricting it from using --no-budget or --force (or remove those flags) to avoid unexpected API spend; (5) if you plan to install, populate credentials manually and confirm config.json contents, or keep credentials out of env if you prefer an alternate secret store. The overall functionality appears legitimate, but the metadata omission and budget-override flags justify caution (suspicious) rather than outright blocking.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bqfby24v88cagqc6zbzshwn81jscc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

𝕏 Clawdis
Binsuv

Comments