Skillv1.1.0

ClawScan security

Kiro X Publisher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 21, 2026, 10:03 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, scripts, and instructions are consistent with its stated purpose (discovering, summarizing, drafting, and optionally posting X tweets), but there are a few minor mismatches and privacy trade‑offs you should review before installing.
Guidance: This skill appears to do what it says: it searches X, optionally enriches via FxTwitter, ranks items, drafts a single tweet, and can post if you supply OAuth keys. Before installing: (1) If you do not want it to post, do not provide the OAuth keys (X_API_KEY, X_API_SECRET, X_ACCESS_TOKEN, X_ACCESS_TOKEN_SECRET) — only X_BEARER_TOKEN is needed for search. Note the registry metadata currently lists all keys as required, so confirm the platform won't force you to supply them. (2) The setup cron script invokes openclaw.mjs via a Node binary; ensure node is available or skip the cron setup. (3) Enrichment uses api.fxtwitter.com (third party) — tweets/URLs sent to that endpoint may be seen by that service; review privacy implications. (4) The scripts write a .env.template to a local skill workspace; place and protect any real credentials you add. (5) Test in search-only mode first (no --post) and review outputs before enabling scheduled posting. If you want stronger assurance, request confirmation from the publisher (kiroai.io) about why registry metadata requires all OAuth env vars and whether cron setup requires node.

Review Dimensions

Purpose & Capability: noteName/description match the included code: search via X API, enrich via FxTwitter, score/summarize, draft one tweet, and optionally post via OAuth 1.0a. However, registry metadata lists all OAuth keys as required even though the SKILL.md and scripts indicate posting is optional (search only needs X_BEARER_TOKEN). Also setup_cron.sh invokes a Node binary (openclaw.mjs) but the declared required binaries list only python3.
Instruction Scope: noteSKILL.md directs running included Python scripts; the code only uses X API and fxTwitter for enrichment and writes outputs to ./outputs/x-hot/. It does not read arbitrary system files. The enrichment step sends tweet URLs/content to api.fxtwitter.com — a third-party endpoint mentioned in the docs. The cron installer runs openclaw.mjs (via node) to register jobs, which is reasonable but not declared in required binaries.
Install Mechanism: okThere is no external download/install step; the package is instruction-and-script based with Python files included. No archive downloads or execution of remote code are performed by the provided scripts.
Credentials: noteThe skill requires X API credentials to post and a bearer token to search. This is proportional to functionality, but the registry declares all five X_* env vars as required while the documentation correctly marks four of them as optional (only needed when --post). Confirm whether the platform will require you to provide all keys or allows search-only operation with only X_BEARER_TOKEN.
Persistence & Privilege: okalways is false and the skill does not request elevated or platform-wide persistent privileges. setup_cron.sh can register a scheduled job via openclaw.mjs (uses an OpenClaw CLI), which is a normal installer behavior and scoped to scheduling this skill's run.