ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Read

v1.0.1

Render and summarize a public X (Twitter) link when you need to read the tweet/article content without logging in.

0· 713·6 current·6 all-time
by@tylordius
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: index.js uses Puppeteer to load X permalinks, extract tweet/article text, links, and media, and format a markdown summary. No unrelated environment variables, binaries, or external services are requested.
Instruction Scope
SKILL.md explicitly instructs a read-only workflow (navigate to URL, wait for tweet/article selectors, extract text/media). The runtime directives in index.js stay within that scope (DOM scraping, optional fallback of full page text). It does log some page text for debugging but does not transmit data to external endpoints beyond the normal navigation to the provided URL.
Install Mechanism
There is no separate install spec, but package.json depends on puppeteer (and package-lock lists npm registry packages). Installing will pull Puppeteer and associated npm packages, and Puppeteer typically downloads a Chromium browser binary (archive extraction). This is expected for the task but is heavier than a pure script and involves network/IO during install.
Credentials
The skill requires no environment variables, credentials, or config paths; the requested privileges are proportional to the stated read-only scraping purpose.
Persistence & Privilege
The skill is not marked always:true and does not attempt to persist or modify other skills or global settings. It uses normal, on-demand invocation privileges.
Assessment
This skill appears coherent and read-only: it scrapes public X pages with Puppeteer and needs no API keys. Before installing, consider: (1) Puppeteer will download a Chromium binary and pull many npm packages—expect a heavier install and network activity. (2) The script launches Chromium with '--no-sandbox' and related flags (common for containerized runs) which reduces process-level sandboxing; run the skill in a hardened environment or sandboxed container. (3) Verify you are comfortable with automated scraping under the target site's terms of service. (4) Review the index.js output and test locally with a few public links to confirm behavior. (5) Do not provide any secrets to the skill (it does not need them). If you want stricter safety, restrict this skill to explicit user invocation only and monitor network egress from the runtime environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk976pa4kq7z4eeke6p2xqqn47n81jwak

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments