OEE Social Research
ReviewAudited by ClawScan on May 10, 2026.
Overview
The tool mostly matches its social-research purpose, but hidden instruction signals and an import path that can load unbundled code make it worth reviewing before use.
Before installing, inspect the original SKILL.md for hidden content, confirm the Python import path only loads the bundled files, and avoid sensitive research topics unless you are comfortable with local logs and third-party search providers seeing the queries.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may not be able to see all instructions the agent would receive from the skill file.
The SKILL.md artifact reports that a hidden comment block was removed, and the pre-scan also flags unicode-control-character prompt-injection patterns. Hidden or invisible instruction content can make an agent see instructions that are not visible to the user.
"hiddenCommentBlocksRemoved": 1
Review the original SKILL.md, remove hidden comments/control characters, and republish the skill with only visible, auditable instructions.
The skill may execute an unintended or unreviewed Python module if a matching ravens package exists in the environment.
The script prepends a parent directory to Python's import path and imports ravens.fxtwitter, while the provided manifest contains fxtwitter.py at the skill root rather than a ravens/fxtwitter.py package. Running the documented command could fail or import code outside the reviewed skill files.
sys.path.insert(0, str(Path(__file__).resolve().parent.parent)) from ravens.fxtwitter import Tweet, search_tweets as fx_search, lookup_tweet
Change the import to use the bundled local module, avoid modifying sys.path to parent directories, and ensure all imported code is included in the manifest.
Sensitive research topics could remain in local log files after the command finishes.
The skill persists usage logs containing the user's research query. This is local and related to the tool's operation, but SKILL.md only discloses .cache and .briefings, not .logs.
LOG_DIR = Path(__file__).parent / ".logs" ... "query": query, ... f.write(json.dumps(entry) + "\n")
Disclose the .logs directory and retention behavior, and let users clear or disable query logging.
If BRAVE_API_KEY is present, the skill can use that account's search quota and send queries to Brave Search.
The code optionally uses a Brave Search API key from the environment, but the registry metadata declares no environment variables. The key is used for the expected search provider, with no visible leakage.
api_key = os.environ.get("BRAVE_API_KEY", "")
...
"X-Subscription-Token": api_keyDeclare BRAVE_API_KEY as an optional credential and document when it will be used.
Research queries may be visible to external search providers beyond FxTwitter.
The fallback search path sends user queries to public SearXNG instances, and the visible code also includes DuckDuckGo and Nitter-style endpoints. This is aligned with web research, but the specific third-party destinations are not listed in SKILL.md.
instances = [
"https://search.bus-hit.me",
"https://searx.be",
"https://search.sapti.me",
]Document all external services used and avoid entering private or sensitive topics unless external query disclosure is acceptable.