ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Production-ready Twitter/X data and automation for autonomous agents

v1.0.0

Search X (Twitter) in real time, monitor trends, extract posts, and analyze social media data—perfect for social listening and intelligence gathering. Safe read-only operations by default.

0· 958·1 current·1 all-time
byNing Ren@renning22
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, required binaries (curl, python3), and the single required env var (AISA_API_KEY) all align with a client that calls the AIsa API for Twitter data. The included python client and curl examples point at api.aisa.one, which matches the documented provider.
Instruction Scope
SKILL.md and code focus primarily on read-only operations and provide concrete curl/python examples. However, the instructions explicitly include write operations that require sending Twitter credentials (email+password) and proxy info to https://api.aisa.one. Those write steps are clearly documented and repeatedly warned as high-risk — this is scope-consistent for an automation feature but represents a significant security/operational risk that users must opt into knowingly.
Install Mechanism
No install spec or external downloads are declared; code is bundled with the skill. That minimizes installer attack surface. There are no suspicious remote install URLs or archive extraction steps in the manifest.
Credentials
The skill only requires one environment variable (AISA_API_KEY), which is appropriate for an API-backed client. It does not demand unrelated system credentials. That said, write operations require explicit Twitter credentials to be provided (via API call payload, not as declared env vars), which is high-risk but documented rather than hidden.
Persistence & Privilege
The skill does not request always: true and does not declare system-level config changes. disable-model-invocation is false (normal) so the skill can be invoked autonomously — combine that with the documented write capability only if you intentionally allow it.
Assessment
This package appears to do what it claims: use the AIsa API to fetch Twitter/X data, with read operations treated as safe and write operations explicitly labeled high-risk. Before installing or using it: (1) prefer read-only features — they only require the AISA_API_KEY; (2) never supply your primary Twitter account credentials to the tool or to api.aisa.one — if you must use write features, create a dedicated test/automation account with a unique password and accept the risk of account loss or suspension; (3) review the included twitter_client.py source and runtime warnings yourself to ensure the code behaves as documented; (4) verify the legitimacy and security posture of api.aisa.one (TLS, privacy policy, reputation) before sending credentials; (5) consider network controls (isolated environment, proxy, monitoring) if you will test write operations; and (6) because the agent can invoke this skill autonomously, restrict automatic use of write operations (require explicit user confirmation) to avoid accidental credential transmission.

Like a lobster shell, security has layers — review code before you run it.

latestvk9740jw5z0qgc0axqn1g78p3w1810atz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐦 Clawdis
Binscurl, python3
EnvAISA_API_KEY
Primary envAISA_API_KEY

Comments