Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
x-research-kit
v1.0.0Extract and analyze X (Twitter) content using yt-dlp and gallery-dl. Supports tweet metadata, video extraction, thread retrieval, profile analysis, and space...
⭐ 0· 81·0 current·0 all-time
by江辰@xuya227939
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description match the instructions: the skill is an instruction-only wrapper around yt-dlp and gallery-dl for extracting X (Twitter) content. However, the skill's metadata lists no required binaries or env vars while the SKILL.md explicitly requires yt-dlp >= 2024.01.01 and gallery-dl >= 1.26.0. This mismatch is an incoherence (the skill will not work without those tools).
Instruction Scope
Runtime instructions tell the agent to run yt-dlp and gallery-dl commands and to parse their JSON output — appropriate for the stated purpose. However, the SKILL.md recommends using yt-dlp --cookies-from-browser to access some content, which causes the tool to read local browser cookie stores (sensitive data). The instructions do not explicitly constrain or warn about handling or transmitting those cookies or other local data, creating a privacy risk if the agent or user follows these steps automatically.
Install Mechanism
This is an instruction-only skill with no install spec or code files, which is low risk from an installation/execution standpoint. The SKILL.md merely suggests installing yt-dlp/gallery-dl via brew/pip/apt; no remote downloads or scripted installers are included in the skill itself.
Credentials
The skill declares no required environment variables or credentials, which is consistent with being a local-tool wrapper. But the implicit need for access to the user's browser cookies (via --cookies-from-browser) is not declared and is privacy-sensitive. Also the metadata omission of required binaries (yt-dlp/gallery-dl) is a proportionality/information gap: the skill needs those tools but does not declare them.
Persistence & Privilege
The skill does not request elevated persistence (always:false) nor claim to modify agent-wide config. It is user-invocable only and does not request permanent presence or unusual privileges.
What to consider before installing
This skill reads and parses X/Twitter content using local tools (yt-dlp, gallery-dl). Before installing/using it: 1) Understand you'll need to install yt-dlp and gallery-dl locally — the skill metadata failed to list them; verify versions on your machine. 2) Be cautious about using --cookies-from-browser: that reads browser cookie stores (sensitive). Do not export or supply browser cookies unless you understand the privacy implications and trust the environment. 3) The skill is instruction-only and won't itself exfiltrate data, but if you ask the agent to run the commands, double-check outputs before sharing them externally. 4) Verify the author's repository/homepage (clawhub.json references snapvee.com and a GitHub issues URL) before trusting recommendations to use third-party download services. 5) If you need to proceed, run the yt-dlp/gallery-dl commands yourself in a controlled environment with non-sensitive accounts first, and ask the skill author to update the registry metadata to declare required binaries and explicitly document cookie usage.Like a lobster shell, security has layers — review code before you run it.
latestvk977949ptkbavxmwfavt0gpfsx83ghb4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.