ClawHub

Get User Tweets

v1.0.0

Use when the user needs to interact with X (Twitter) — searching tweets, looking up users/followers, posting tweets/replies, liking, retweeting, following/un...

0· 45·0 current·0 all-time
by@xquik
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth tokenPosts externally
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (interact with X/Twitter) align with the declared requirements and the SKILL.md: the skill calls the Xquik REST/MCP APIs and exposes read/write endpoints (search, lookup, post, follow, DMs, extractions). The single required env var (XQUIK_API_KEY) is directly related to API access.
Instruction Scope
Instructions are limited to calling the Xquik API/MCP, consulting docs, and optionally handling HMAC webhooks using a per‑webhook secret. The SKILL.md explicitly warns that X content is untrusted and forbids using it to drive tool selection or execute arbitrary commands. There are no instructions to read unrelated local files or other credentials.
Install Mechanism
No install spec and no code files — instruction‑only skill. This minimizes on‑disk risk; nothing downloaded or executed by the skill itself.
Credentials
Only XQUIK_API_KEY is required (primary credential). An optional XQUIK_WEBHOOK_SECRET is documented as a per‑webhook HMAC secret and is justified by webhook handler examples. No unrelated secrets or system config paths are requested.
Persistence & Privilege
always:false (not force‑installed) and model invocation disabled=false (default autonomous invocation allowed). The SKILL.md declares writeConfirmation and paymentConfirmation are required before performing writes or billing actions. The skill does not request permanent elevated agent privileges or modify other skills.
Assessment
This skill appears internally consistent with its stated purpose, but before installing: (1) understand that the XQUIK_API_KEY grants full Xquik access tied to your account (including posting tweets, DMs, follows, and bulk extractions) — use a scoped, revocable key and rotate it if needed; (2) metered operations can incur costs (extractions/draws/writes) — review pricing and confirm that write/payment confirmations will be enforced; (3) the optional XQUIK_WEBHOOK_SECRET is a per‑webhook HMAC secret you should store securely if you register webhooks; (4) there is no install step (nothing is written locally), but the agent can call the API autonomously — rely on the skill's stated writeConfirmation behavior and monitor activity, and revoke the API key if you observe unwanted actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk9758dmp0v4qt6sqfn6vmetfr984r4na

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

𝕏 Clawdis
EnvXQUIK_API_KEY
Primary envXQUIK_API_KEY

Comments