ETH24
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: eth24 Version: 0.1.0 The OpenClaw AgentSkills skill bundle 'eth24' is designed to crawl social media and RSS feeds, rank content using AI, and publish daily digests. All network requests (X API, Grok AI, Anthropic AI, Typefully API) and file system operations (reading config, writing output JSON/text/images) are directly aligned with this stated purpose. Environment variables for API keys are handled appropriately. The `SKILL.md` and `commands/eth24.md` instructions for the AI agent are functional and do not contain any malicious prompt injection attempts. There is no evidence of data exfiltration to unauthorized endpoints, persistence mechanisms, or other intentional harmful behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or spammy tweet/RSS item could try to steer the AI ranking or wording, leading to a misleading digest or draft.
The model prompt includes raw tweet and RSS content, which may contain untrusted text. This is central to ranking a social-media digest, but the generated JSON can be influenced by the input content.
RAW DATA:\n{context[:12000]}Review ranked.json, cli.txt, or thread.txt before publishing or relying on the digest.
Running tweet mode with Typefully credentials can create a draft in the connected social publishing account.
In tweet mode, the skill can send generated digest text to Typefully to create a draft. This is disclosed and purpose-aligned, but it is an account-modifying API action.
if social_set_id and typefully_key:\n posts = [{"text": text}]\n create_draft(social_set_id, posts)Use CLI mode for local previews, keep Typefully credentials scoped, and review drafts before publishing.
The skill can spend API quota and access the connected X/xAI/Anthropic/Typefully services according to the tokens provided.
The skill uses provider credentials for the expected crawl and ranking integrations. The registry metadata says no required env vars, so users should not miss these credential requirements.
XAI_API_KEY=... # xAI API key\nX_BEARER_TOKEN=... # X API v2 bearer token\nANTHROPIC_API_KEY=... # Anthropic API key
Use least-privilege, revocable API keys and monitor provider usage/costs.
Dependency behavior could change over time if installed without a lockfile or pinned versions.
The Python dependencies are not version-pinned. This is common for simple projects, but it means future installs may resolve different package versions.
feedparser\nPillow\nhttpx
Install in a virtual environment and consider pinning dependency versions before routine use.