ClawHub

Search X

v1.2.1

Real-time X/Twitter search powered by Grok-4. Find tweets, trends, and discussions with citations. Grok-4.20 also returns image results alongside tweet citat...

25· 5.9k·37 current·37 all-time
byMatt Van Horn@mvanhorn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim real-time X search via Grok/xAI and the package only asks for an xAI API key and optionally reads a local clawdbot config for the same key. The code calls api.x.ai/v1/responses with an x_search tool payload — consistent with the stated purpose.
Instruction Scope
SKILL.md instructs running the bundled Node script and setting XAI_API_KEY (or the clawdbot config) which the script uses. A static scan flagged a 'system-prompt-override' pattern; this skill intentionally constructs a system prompt (payload.input) for the x_search tool when calling the Responses API, which explains the finding. There is no instruction to read unrelated files or to transmit data to endpoints other than api.x.ai.
Install Mechanism
No install spec; the skill is instruction-only plus a small local JS script. There are no downloads from untrusted URLs, no extract operations, and no package installs performed by the skill at runtime.
Credentials
Only XAI_API_KEY is required (declared as primary). The script also respects optional SEARCH_X_MODEL and SEARCH_X_DAYS. It will attempt to read ~/.clawdbot/clawdbot.json to find a stored apiKey as a convenience fallback — this is consistent with its purpose but means it will read that config file if present.
Persistence & Privilege
The skill does not request permanent inclusion (always=false), does not modify other skills or system-wide settings, and does not write persistent data. It only reads a local config file if present.
Scan Findings in Context
[system-prompt-override] expected: The script builds a 'systemPrompt' string and includes it in the payload.input sent to x.ai. A detector flagged this as a potential system-prompt override, but providing a prompt in the API payload is expected behavior for an LLM-based search tool; review the prompt text if you are concerned.
Assessment
This skill appears to do what it claims: it uses your xAI API key to query api.x.ai for X/Twitter results. Before installing: 1) Only provide an XAI_API_KEY you trust and that has appropriate permissions. 2) If you have a ~/.clawdbot/clawdbot.json file, the script will read it to try to find an API key — remove sensitive keys if you don't want them reused. 3) Review the script (scripts/search.js) yourself if you have concerns; it only makes HTTPS requests to api.x.ai and prints results. 4) If you plan to run this in a sensitive environment, consider running it in an isolated container or environment to limit exposure of any local config files.

Like a lobster shell, security has layers — review code before you run it.

latestvk977pfntp7j9jmmhxqxdc9h7e182eqe0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
EnvXAI_API_KEY
Primary envXAI_API_KEY

Comments