ETH24
PassAudited by ClawScan on May 10, 2026.
Overview
ETH24 appears to do what it claims: fetch public X/RSS content, rank it with AI, and save or draft a digest, but it relies on external API keys and user review of generated social content.
Before installing, be prepared to supply and pay for the relevant API providers, run it in a controlled Python environment, and review the generated digest or Typefully draft before publishing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or spammy tweet/RSS item could try to steer the AI ranking or wording, leading to a misleading digest or draft.
The model prompt includes raw tweet and RSS content, which may contain untrusted text. This is central to ranking a social-media digest, but the generated JSON can be influenced by the input content.
RAW DATA:\n{context[:12000]}Review ranked.json, cli.txt, or thread.txt before publishing or relying on the digest.
Running tweet mode with Typefully credentials can create a draft in the connected social publishing account.
In tweet mode, the skill can send generated digest text to Typefully to create a draft. This is disclosed and purpose-aligned, but it is an account-modifying API action.
if social_set_id and typefully_key:\n posts = [{"text": text}]\n create_draft(social_set_id, posts)Use CLI mode for local previews, keep Typefully credentials scoped, and review drafts before publishing.
The skill can spend API quota and access the connected X/xAI/Anthropic/Typefully services according to the tokens provided.
The skill uses provider credentials for the expected crawl and ranking integrations. The registry metadata says no required env vars, so users should not miss these credential requirements.
XAI_API_KEY=... # xAI API key\nX_BEARER_TOKEN=... # X API v2 bearer token\nANTHROPIC_API_KEY=... # Anthropic API key
Use least-privilege, revocable API keys and monitor provider usage/costs.
Dependency behavior could change over time if installed without a lockfile or pinned versions.
The Python dependencies are not version-pinned. This is common for simple projects, but it means future installs may resolve different package versions.
feedparser\nPillow\nhttpx
Install in a virtual environment and consider pinning dependency versions before routine use.