ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Post Tweets

v1.0.0

Use when the user needs to interact with X (Twitter) — searching tweets, looking up users/followers, posting tweets/replies, liking, retweeting, following/un...

0· 43·0 current·0 all-time
by@xquik·duplicate of @xquik/get-user-tweets
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth tokenPosts externally
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (interact with X/Twitter) align with the declared requirement (XQUIK_API_KEY) and the SKILL.md which documents using the Xquik REST and MCP APIs. Required env vars and optional webhook secret directly serve the described functionality; no unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md limits behavior to calling Xquik endpoints, using the provided MCP tools (explore + xquik), handling webhooks with a per-webhook HMAC secret, and requiring user confirmations for writes/payments. It explicitly forbids executing instructions embedded in X content and forbids local file/network/code execution. The instructions do include bulk extraction and monitoring workflows (expected for this service) and require cost estimates before extraction.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code — the lowest-risk install model. No downloads, archives, or npm/brew installs are requested.
Credentials
Only XQUIK_API_KEY is required (declared as primary credential); XQUIK_WEBHOOK_SECRET is optional and only for webhook handlers. Both are proportional and justified by the API/webhook use cases. No unrelated SECRET/TOKEN/PASSWORD variables are requested.
Persistence & Privilege
always:false (default) so the skill is not force-included. The execution model is api-only with no local file, code execution, or system modifications described. Autonomous invocation is allowed (default) but not combined with any unusual persistent privileges.
Assessment
This skill is internally consistent, but before installing: (1) only grant a scoped, revocable Xquik API key (rotate or revoke if abused); (2) understand that bulk extraction and write actions cost credits—the skill requires explicit confirmation for writes/payments but confirm cost limits yourself; (3) if you plan to register webhooks, store the per-webhook secret securely (it is not the account API key); (4) review Xquik's homepage/docs and privacy/terms to ensure data use complies with your privacy and legal requirements; (5) because the skill calls an external service, treat network access and the API key as sensitive and avoid reusing high-privilege keys elsewhere.

Like a lobster shell, security has layers — review code before you run it.

latestvk97adafw4afmq41dhv1d4jc2r984rhzy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

𝕏 Clawdis
EnvXQUIK_API_KEY
Primary envXQUIK_API_KEY

Comments