Back to skill
Skillv1.0.1
ClawScan security
Wip X · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewFeb 21, 2026, 6:57 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is generally what it claims (an X/Twitter API client) but contains several inconsistencies and secret-handling behaviors (1Password CLI use, mismatched declared requirements) that merit review before installing or granting credentials.
- Guidance
- This package appears to be a legitimate X/Twitter API wrapper, but review these before installing: 1) Expect to provide X credentials (bearer or full OAuth); the registry metadata omitted them — don't assume no secrets are needed. 2) The code will try to read secrets from 1Password via the 'op' CLI (executes 'op read'); confirm you want the op CLI to be used and verify the vault/item names (README vs auth.mjs disagree). 3) Only grant write-scoped OAuth tokens if you trust the code — write tokens can post or delete tweets. 4) Note the MCP server exposes tools that can be called programmatically; limit which agents or environments can run it. 5) Do a quick code review (auth.mjs, core.mjs, mcp-server.mjs) and run npm install/test in a sandboxed environment; verify dependencies and add missing ones (modelcontextprotocol sdk) before production use. If you want to proceed, prefer providing credentials via environment variables scoped to a dedicated app with minimal permissions, or run the tool in an isolated container.
Review Dimensions
- Purpose & Capability
- noteName, README, SKILL.md and code all implement an X Platform (Twitter) client with read/write functionality; the required OAuth/bearer credentials are appropriate for that purpose. However the registry metadata claims no required env vars/credentials while SKILL.md and the code clearly expect multiple X-related credentials — an inconsistency that could mislead users about what secrets will be needed.
- Instruction Scope
- concernRuntime instructions and code access credentials via environment variables and via the 1Password CLI (op read) using child_process.execSync. That behavior is consistent with the README/README troubleshooting text, but the code's default 1Password item name differs from README/SKILL.md, and the code will execute a system command to read secrets if op is available. The skill also exposes an MCP server that will accept tool calls (read/write) — make sure you understand which agent contexts can invoke those tools.
- Install Mechanism
- noteThere is no install spec (instruction-only in registry) which reduces install risk, but the package includes Node code and an npm dependency (@xdevplatform/xdk) referenced in package.json and package-lock (resolved from npm). No downloads from arbitrary URLs were observed. One mismatch: mcp-server imports @modelcontextprotocol/sdk but that dependency is not listed in package.json, which is an implementation/packaging inconsistency (may cause runtime failures).
- Credentials
- concernThe code and SKILL.md require sensitive credentials (X_BEARER_TOKEN and the four OAuth 1.0a tokens) and optionally 1Password vault access (OP_VAULT / OP_ITEM). Those tokens are proportional for a read+write X client, but the registry metadata omitted them and the README/SKILL.md and auth.mjs disagree on the default 1Password item name (README says item "X Platform API"; auth.mjs defaults OP_ITEM to 'X API Key - wip-01'). This mismatch could cause unexpected credential prompts or failures and increases the chance of accidental secret exposure.
- Persistence & Privilege
- okalways:false and no claimed system-wide modifications. The skill can be invoked autonomously (default platform behavior), which combined with access to OAuth credentials increases blast radius — expected for a networked API client but worth noting. The skill itself does not request permanent system-level privileges.