ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Twitter Query

v1.0.0

Query X/Twitter via twitterapi.io read-only APIs by account (user timeline) or by keyword (advanced search). Outputs structured JSON; no LLM, no trend scorin...

0· 177·0 current·0 all-time
by@alexander10011
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts implement exactly what the name/description promise: read-only queries to twitterapi.io (user timeline and advanced search) and JSON output. However the registry metadata lists no required environment variables while SKILL.md and the scripts clearly require TWITTER_API_KEY (and optionally TWITTER_API_BASE). This metadata mismatch is inconsistent and may lead to missing user prompts or disclosure in install flows.
Instruction Scope
SKILL.md instructs the agent/user to set TWITTER_API_KEY and run the two Python scripts; the scripts only perform HTTP GETs to the configured base and print JSON to stdout. They do not access other system files, other credentials, or external telemetry endpoints. One noteworthy instruction-level detail: TWITTER_API_BASE is overrideable; if a user or agent sets that to a malicious URL the skill will send the API key there (the scripts do not restrict allowed hosts).
Install Mechanism
There is no automated install spec — this is effectively an instruction-and-scripts package. The code uses only Python stdlib and will run locally; nothing is downloaded from arbitrary third-party URLs. This is low install-surface risk.
!
Credentials
Functionally the skill only needs one secret (TWITTER_API_KEY), which is proportionate. But the package/registry metadata does not declare this required env var or a primary credential (the SKILL.md and scripts do). That mismatch is concerning because platforms may not surface the requirement to users. Additionally, allowing TWITTER_API_BASE to be set by env var means the key could be sent to a non-twitterapi.io host if misconfigured.
Persistence & Privilege
The skill is not always-enabled and does not request persistent platform privileges. It does not modify other skills or system-wide settings. Autonomous invocation is allowed (default) but is not combined with other alarming privileges here.
What to consider before installing
This skill appears to do what it claims (fetch tweets via twitterapi.io) and the Python scripts are readable and use only stdlib. Before installing or running it: - Treat TWITTER_API_KEY as a secret. Only provide your real key if you trust the skill and its source; consider using a throwaway/test key first. - Verify the platform metadata: the skill's SKILL.md and scripts require TWITTER_API_KEY, but the registry metadata does not declare it — ask the publisher to update the manifest to list required env vars. - Do not change TWITTER_API_BASE to an unknown host. If you must override it (for testing), run in an isolated environment and monitor network traffic to ensure your API key isn't sent to an unexpected endpoint. - If you have security concerns, inspect the two scripts yourself or run them locally with your network blocked (or a proxy you control) to observe behavior. Ask the publisher to restrict or validate TWITTER_API_BASE in-code if you need stronger guarantees. Because of the metadata inconsistency and the overridable base URL, I rate this as suspicious rather than benign; these are fixable but should be clarified before broad use.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ay10fee921r96grnryswth83x1tb
177downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@alexander10011
latest
Download

Twitter / X 推文查询(只读)

通过 twitterapi.io 拉取推文:按账号按关键词,输出 JSON。不集成 LLM,不做趋势榜/热度建模。

环境

  • TWITTER_API_KEY:必填(HTTP Header X-API-Key)。
  • TWITTER_API_BASE:可选,默认 https://api.twitterapi.io

OpenClaw / ClawHub 安装

在已支持 Skills 的客户端中(以仓库发布名为准,示例为 alexander10011/twitter-query):

npx skills add alexander10011/twitter-query

安装后,在技能包根目录下执行脚本(路径以实际克隆位置为准)。

脚本路径(仓库根目录)

能力命令
某用户时间线python3 scripts/query_by_user.py USERNAME [选项]
关键词高级搜索python3 scripts/query_by_keyword.py "查询字符串" [选项]

按账号

export TWITTER_API_KEY="你的key"
python3 scripts/query_by_user.py VitalikButerin --max-pages 5
python3 scripts/query_by_user.py someuser --include-replies --max-pages 10
  • 接口:GET /twitter/user/last_tweets文档),cursor 分页,每页最多约 20 条。
  • 时间范围由分页量间接限制;需要「近 N 天」可对返回的 createdAt 再过滤。

按关键词

python3 scripts/query_by_keyword.py '$BTC min_faves:5' --query-type Latest --max-pages 3
python3 scripts/query_by_keyword.py 'from:elonmusk since:2026-03-01_00:00:00_UTC' --query-type Top
  • 接口:GET /twitter/tweet/advanced_search文档)。
  • queryTypeLatestTop;默认 Latest
  • 语法参考:twitter-advanced-search

输出

脚本向 stdout 打印 JSON(utf-8),含 metatweets

Agent 工作方式

  1. 确认已设置 TWITTER_API_KEY
  2. 选择 query_by_userquery_by_keyword,运行脚本。
  3. 若需中文摘要或观点归纳,在当前对话模型内完成,本 Skill 不调用外部总结 API。

许可证

MIT,见 LICENSE

Comments

Loading comments...