ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X Twitter

v1.0.1

X (Twitter) API client for searching tweets, retrieving article content, and fetching trending topics. Supports both Bearer Token (app-only) and OAuth 2.0 authentication.

2· 1k·3 current·5 all-time
by@zaaachary
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code: scripts perform tweet search, article/tweet retrieval, and trends using X API v2. Minor inconsistency: SKILL.md / description say the skill “supports both Bearer Token (app-only) and OAuth 2.0”, but the included scripts only use a bearer token (X_BEARER_TOKEN) and do not implement an OAuth flow. Also the registry summary above listed “Required env vars: none” while the package declares a primary credential X_BEARER_TOKEN and SKILL.md instructs users to set it.
Instruction Scope
SKILL.md and the scripts only direct the agent/user to run the included Python scripts, set X_BEARER_TOKEN, call https://api.x.com/2 endpoints, and optionally save outputs to files. The instructions do not ask the agent to read arbitrary host files, other credentials, or exfiltrate data to unexpected endpoints.
Install Mechanism
No install spec; the skill is instruction-first and bundles small Python scripts. There are no remote downloads, installers, or extracted archives. Required runtime is just python3 and the requests library (imported in scripts), which is expected for these scripts.
Credentials
Only a single credential (X_BEARER_TOKEN) is used as the primary credential. That is proportionate to a client that makes authenticated calls to the X API. No unrelated secrets or config paths are requested.
Persistence & Privilege
always: false and disable-model-invocation: false (standard). The skill does not request permanent system-wide changes, nor does it modify other skills' configs. It only reads X_BEARER_TOKEN and writes user-specified output files.
Assessment
This skill appears to do what it says: three Python scripts that call X's API using a bearer token. Before installing or running: 1) Confirm you are comfortable storing X_BEARER_TOKEN in your environment (anyone with the token can access your app-level API). 2) Note the SKILL.md claim about OAuth 2.0 is not implemented in the scripts — if you need user-auth flows, this package doesn't provide them. 3) Review the scripts (they are short) before running and consider running them in an isolated environment; they only connect to https://api.x.com/2 and optionally write results to files you specify. 4) Be aware some endpoints (trends) may require a paid tier; check your token permissions and rate limits. If you need the skill to support OAuth flows or to avoid storing long-lived tokens in env vars, ask the author for clarification or an updated release.

Like a lobster shell, security has layers — review code before you run it.

latestvk976fvxdq2ywfj775dzk2ve48s8132a4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

𝕏 Clawdis
Binspython3
Primary envX_BEARER_TOKEN

Comments