ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

readx

v1.1.4

Twitter/X intelligence toolkit: analyze users, tweets, trends, communities, and networks

1· 756·1 current·2 all-time
by@wxtsky
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the declared requirement (READX_API_KEY) and the SKILL.md describes calling a remote readx.cc API or MCP server for Twitter/X analysis. No unrelated credentials, binaries, or system paths are requested.
Instruction Scope
Instructions stay within analysis scope (resolve user→user_id, call timelines/search, derive metrics). They do instruct the agent to use curl and to read/write a readx credentials file and to add an MCP server URL that includes the API key query parameter; these are functional for the service but introduce credential-handling choices the user should review.
Install Mechanism
Instruction-only skill with no install spec or code files — minimal disk/write footprint from the skill itself. All runtime behavior is via remote API calls or existing MCP tooling.
Credentials
Only READX_API_KEY is requested (declared as primaryEnv) which is proportionate to an API-based analysis tool. However, the doc recommends embedding the API key in an MCP URL (https://readx.cc/mcp?apikey=<API_KEY>) and persisting it to a plaintext credentials file by default — both raise credential-exposure risks.
Persistence & Privilege
always:false and no requests to modify other skills or system-wide agent settings. The skill does instruct adding an MCP server entry to editor config and optionally writing the API key to a local config file — expected for this functionality but requires user consent.
Assessment
This skill appears to do what it says: it calls a remote readx.cc service and needs an API key. Before installing, verify you trust readx.cc (it's the only network endpoint used). Prefer storing the API key in a secure place (environment variable or credential store) rather than embedding it into URLs or plaintext files. If asked, decline having the agent itself write credentials to your config unless you trust the skill and know exactly where and how the key will be stored. Avoid pasting the API key into public logs or chat. If you want stronger assurance, ask the vendor for documentation, a privacy policy, and whether the MCP URL can be configured without the API key in the query string (e.g., via a secure header or token store).

Like a lobster shell, security has layers — review code before you run it.

latestvk97ang9psqe1s8r6m6he6wtz8981q73a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvREADX_API_KEY
Primary envREADX_API_KEY

Comments