ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Search (x402)

AI-powered X/Twitter search for real-time trends, breaking news, sentiment analysis, and social media insights. Use when users want to search Twitter/X for topics, hashtags, viral content, or public opinion. Costs $0.05 USDC per request via x402 protocol on Base network.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 2.1k · 8 current installs · 8 all-time installs
by@TzannetosGiannis
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to perform paid X/Twitter searches via the x402 protocol, which reasonably requires a signing/payment key. However, the package/registry metadata declares no required env vars or primary credential while the SKILL.md and script explicitly require an X402 private key. That's an internal inconsistency: either the registry metadata is incomplete or the skill is asking for credentials that weren't disclosed.
!
Instruction Scope
SKILL.md and scripts/search.sh instruct the agent (and user) to provide a private key via env var or by placing a plaintext JSON file in home/current/PWD. The script reads that file and exports X402_PRIVATE_KEY, then invokes an external tool. There are no instructions limiting how the key may be used; storing a private key in ~/.x402-config.json is insecure and the script grants the external npm tool full access to that key at runtime.
!
Install Mechanism
There is no install spec in the skill registry, but the shipped script runs npx -y @itzannetos/x402-tools-claude x-search — which will fetch and execute code from the npm registry at runtime without a pinned version. That is a moderate-to-high risk vector: it executes third-party code fetched on demand and could run arbitrary network/file operations. The npm package author and package contents are not referenced in the skill metadata or SKILL.md for review.
!
Credentials
Requesting an x402/private key is proportionate to a paid blockchain-backed search service, but the skill fails to declare this credential in its manifest (registry shows no required env vars/primary credential). The SKILL.md also recommends storing the private key in plaintext files, increasing risk. The skill does not declare or justify other sensitive environment access, but the undocumented credential requirement is the main issue.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide changes. It is user-invocable and can be invoked autonomously (platform default). It does read files in the user's home/current/PWD scopes but does not modify other skills or global config.
What to consider before installing
Do not run this script or call its npx command until you verify a few things: (1) The registry metadata should list the required credential (X402_PRIVATE_KEY) — its omission is an inconsistency. (2) Inspect the npm package @itzannetos/x402-tools-claude (or avoid npx) — npx -y will download and execute code that could exfiltrate your key. Prefer a pinned package version, or vendor the reviewed code into the skill instead of using npx. (3) Avoid storing private keys in plaintext files in your home directory; use environment variables or a secure signer/wallet. (4) If you must test, do so in an isolated environment (throwaway wallet with minimal funds/USDC) and review network calls made by the npm package. If you cannot validate the npm package author and contents, treat this skill as risky.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97fveqh6057wkmwx3qbh75qyd804p1nsearchvk97fveqh6057wkmwx3qbh75qyd804p1nsentiment-analysisvk97fveqh6057wkmwx3qbh75qyd804p1nsocial-mediavk97fveqh6057wkmwx3qbh75qyd804p1ntrendsvk97fveqh6057wkmwx3qbh75qyd804p1ntwittervk97fveqh6057wkmwx3qbh75qyd804p1nxvk97fveqh6057wkmwx3qbh75qyd804p1nx402vk97fveqh6057wkmwx3qbh75qyd804p1n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

X Search

Search X/Twitter using an AI-powered agent for real-time insights and social media intelligence.

Configuration

The private key must be available via one of these methods:

Option 1: Environment variable

export X402_PRIVATE_KEY="0x..."

Option 2: Config file (Recommended)

The script checks for x402-config.json in these locations (in order):

  1. Current directory: ./x402-config.json
  2. Home directory: ~/.x402-config.jsonRecommended
  3. Working directory: $PWD/x402-config.json

Create the config file:

{
  "private_key": "0x1234567890abcdef..."
}

Example (home directory - works for any user):

echo '{"private_key": "0x..."}' > ~/.x402-config.json

Usage

Run the search script with a query:

scripts/search.sh "<search query>"

The script:

  • Executes the npx CLI tool with payment handling
  • Costs $0.05 USDC per request (Base network)
  • Returns AI-processed search results

Examples

User: "What are people saying about AI agents on Twitter?"

scripts/search.sh "AI agents discussions and opinions"

User: "Find trending topics about cryptocurrency"

scripts/search.sh "cryptocurrency trends today"

User: "Show me viral content about climate change"

scripts/search.sh "viral climate change posts"

Capabilities

  • Real-time trends and breaking news
  • Social media sentiment analysis
  • Viral content tracking
  • Public opinion research
  • Hashtag and topic analysis

Error Handling

  • "Payment failed: Not enough USDC" → Inform user to top up Base wallet with USDC
  • "X402 private key missing" → Guide user to configure private key (see Configuration above)
  • Timeout errors → The API has a 5-minute timeout; complex queries may take time

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…