ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X / Twitter Search

Search X/Twitter in real-time using Grok or X API. Find tweets, trends, and discussions with citations.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
13 · 1.2k · 3 current installs · 4 all-time installs
by@blueberrywoodsym
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (X/Twitter search) align with what is present: a Node script that calls either xAI's Responses API (x_search tool) or X's search API. Declared requirement (node) and primaryEnv (XAI_API_KEY) match the default Grok mode. Optional X_BEARER_TOKEN is documented and used only for the native X API path.
Instruction Scope
SKILL.md instructs running scripts/search.js and documents environment variables and modes; the script only makes HTTPS requests to api.x.ai and api.x.com and formats results. A pre-scan flagged 'system-prompt-override' because the script builds a systemPrompt sent to xAI in the request payload — this is expected for the Grok mode (it configures the remote model) and does not override the local agent's system prompt. Review of the script confirms it does not read local files, access other env vars, or call unexpected endpoints.
Install Mechanism
No install spec provided (instruction-only + included script). The skill requires node on PATH and contains a local script. There are no downloads from untrusted URLs or archive extraction steps in the repo.
Credentials
Only XAI_API_KEY is required (primary). The code also accepts optional X_BEARER_TOKEN/TWITTER_BEARER_TOKEN for the X API path; all requested env vars are directly used for calls to the documented endpoints. There are no unrelated or excessive credentials requested.
Persistence & Privilege
Skill is not always-enabled and sets disable-model-invocation: true (cannot be invoked autonomously), which reduces risk. The skill does not claim or appear to modify other skills or system-wide settings.
Scan Findings in Context
[system-prompt-override] expected: The script deliberately builds a 'systemPrompt' and includes it in the payload to xAI's Responses API; the scanner flags this pattern generically, but in this context it configures the remote model's behavior for search output and does not affect the host agent's system prompt or exfiltrate data.
Assessment
This skill appears to do what it says, but take these precautions before installing: (1) Inspect scripts/search.js (already included) and confirm you are comfortable sending XAI_API_KEY to api.x.ai and any X_BEARER_TOKEN to api.x.com. (2) Provide only the credential(s) you intend to use (e.g., give XAI_API_KEY only if using Grok mode); consider using an API key with limited scope and easy rotation. (3) Because the skill runs a local Node script, run it in an environment you control (not with highly privileged credentials). (4) Note the scanner flagged 'system-prompt-override' — this is expected because the skill sends a systemPrompt to the remote model; if you are concerned, review the payload formatting in the script. (5) If you have strict security needs, run the script in an isolated container or sandbox before adding to production.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk971ev51sdm84jcxys1sf2y4qd81htbq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsnode
EnvXAI_API_KEY
Primary envXAI_API_KEY

SKILL.md

Search X

Real-time X/Twitter search with two modes:

  1. xAI Grok (default) — AI-powered search with x_search tool, up to 30 days
  2. X API (--x-api) — Native X search, up to 7 days, pay-per-use

Setup

Option 1: xAI API (default)

export XAI_API_KEY="xai-YOUR-KEY"

Get your key at: https://console.x.ai

Option 2: X API (native)

export X_BEARER_TOKEN="YOUR-BEARER-TOKEN"

Get your token at: https://console.x.com

Note: X API uses pay-per-usage pricing. No subscription needed.

Commands

Basic Search (xAI Grok)

node {baseDir}/scripts/search.js "AI video editing"

Native X API Search

node {baseDir}/scripts/search.js --x-api "AI video editing"
node {baseDir}/scripts/search.js --x-api --max 50 "trending topic"  # More results

Filter by Time

node {baseDir}/scripts/search.js --days 7 "breaking news"
node {baseDir}/scripts/search.js --days 1 "trending today"
node {baseDir}/scripts/search.js --x-api --days 7 "news"  # X API max is 7 days

Filter by Handles

node {baseDir}/scripts/search.js --handles @elonmusk,@OpenAI "AI announcements"
node {baseDir}/scripts/search.js --exclude @bots "real discussions"

Output Options

node {baseDir}/scripts/search.js --json "topic"        # Full JSON response
node {baseDir}/scripts/search.js --compact "topic"     # Just tweets, no fluff
node {baseDir}/scripts/search.js --links-only "topic"  # Just X links

Example Usage in Chat

User: "Search X for what people are saying about Claude Code" Action: Run search with query "Claude Code"

User: "Find tweets from @remotion_dev in the last week" Action: Run search with --handles @remotion_dev --days 7

User: "What's trending about AI on Twitter today?" Action: Run search with --days 1 "AI trending"

User: "Search X for Remotion best practices, last 30 days" Action: Run search with --days 30 "Remotion best practices"

How It Works

xAI Grok Mode (default)

Uses xAI's Responses API (/v1/responses) with the x_search tool:

  • Model: grok-4-1-fast (optimized for agentic search)
  • Up to 30 days of history
  • AI-powered result formatting with citations
  • Returns real tweets with URLs

X API Mode (--x-api)

Uses X's native search API (/2/tweets/search/recent):

  • Up to 7 days of history
  • Pay-per-usage pricing (no subscription)
  • Raw tweet data with metrics
  • Up to 100 results per query

Response Format

Each result includes:

  • @username (display name)
  • Tweet content
  • Date/time
  • Engagement metrics (X API mode)
  • Direct link to tweet

Environment Variables

xAI Mode:

  • XAI_API_KEY - Your xAI API key (required for default mode)
  • SEARCH_X_MODEL - Model override (default: grok-4-1-fast)
  • SEARCH_X_DAYS - Default days to search (default: 30)

X API Mode:

  • X_BEARER_TOKEN - Your X API Bearer Token
  • TWITTER_BEARER_TOKEN - Alternative env var name

Security & Permissions

What this skill does:

  • Calls xAI's /v1/responses endpoint (Grok mode) or X's /2/tweets/search/recent endpoint (X API mode)
  • Returns public tweet data with URLs and citations
  • All requests go only to api.x.ai or api.x.com

What this skill does NOT do:

  • Does not post, like, retweet, or modify any X/Twitter content
  • Does not access your X/Twitter account or DMs
  • Does not read config files or access the local filesystem
  • Does not send credentials to any third-party endpoint
  • Cannot be invoked autonomously by the agent (disable-model-invocation: true)

Review scripts/search.js before first use to verify behavior.

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…