X Twitter
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: x-twitter-api Version: 1.0.1 The skill bundle is suspicious due to a path traversal vulnerability in all three Python scripts (`scripts/get_article.py`, `scripts/get_trends.py`, `scripts/search_tweets.py`). The `--save` argument, which allows users to specify an output file, does not sanitize input, potentially allowing an attacker to write arbitrary JSON content to any file on the system where the agent has write permissions (e.g., `../../../../etc/passwd`). There is no evidence of intentional malicious behavior like data exfiltration to external endpoints, backdoors, or prompt injection against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use your X API token to make read-oriented API requests, which may consume rate limits or paid API quota.
The skill requires an X/Twitter bearer token. This credential use is clearly disclosed and directly aligned with accessing the X API.
metadata: { "openclaw": { "emoji": "𝕏", "requires": { "bins": ["python3"] }, "env": ["X_BEARER_TOKEN"], "primaryEnv": "X_BEARER_TOKEN" } }Use a token scoped appropriately for read-only API access when possible, and monitor X API usage or billing limits.
Queries and requested tweet IDs or trend locations are sent to X's API as part of normal operation.
The script makes external API requests using user-provided search parameters. This is expected for a Twitter/X search client and is not account-mutating.
response = requests.get(url, headers=self.headers, params=params)
Avoid entering sensitive private information as search queries unless you are comfortable sending it to X.
If requests is not already installed, the user may need to install it separately, and should use a trusted package source.
The scripts depend on the external Python requests package, but the artifact set has no install spec or pinned dependency file. There is no automatic install behavior shown.
import requests
Install dependencies from a trusted Python package index and prefer pinned versions in controlled environments.