Back to skill
Skillv1.0.1
ClawScan security
xpull · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 1:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and declared requirements are consistent with its stated purpose: fetching X/Twitter content via FxTwitter (no key) and using xAI/Grok (requires XAI_API_KEY) with a local daily-cap state file.
- Guidance
- This skill appears to do what it says: fx-fetch uses the public FxTwitter proxy (no credentials) and grok-x-search uses your xAI API key and writes a local .grok-state.json to enforce a daily cap. Before installing: (1) consider whether you trust api.fxtwitter.com and the x.ai service; (2) keep XAI_API_KEY private (do not commit a .env with the key into version control); (3) expect Grok calls to incur cost — the README mentions pricing; (4) the script will create .grok-state.json in the project root to track usage; if you want more containment, run it in a sandbox or inspect/run the scripts locally first. The repository URL is declared in metadata — review that upstream source if you need higher assurance.
Review Dimensions
- Purpose & Capability
- okName/description match the included scripts. fx-fetch.mjs contacts api.fxtwitter.com and requires only node; grok-x-search.mjs contacts api.x.ai and requires XAI_API_KEY. Optional GROK_DAILY_CAP is present and used. No unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md instructs running the two included node scripts and documents which calls require the API key. The scripts only read a local .env (optional), write a .grok-state.json next to the repository to enforce a daily cap, and make HTTPS calls to api.fxtwitter.com and api.x.ai. They do not execute shell commands, read other system files, or contact unexpected endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only); requiring node is appropriate for the provided .mjs scripts. Nothing is downloaded from arbitrary URLs or written to unusual system locations by an installer.
- Credentials
- okOnly XAI_API_KEY (primary) is required for Grok features; GROK_DAILY_CAP is optional. The requested environment variables align with the documented Grok usage and no unrelated secrets are requested.
- Persistence & Privilege
- okalways:false (normal). The script writes a single .grok-state.json in the repository root to track daily usage — limited, local persistence. The skill does not modify other skills or global agent settings.