OEE Social Research

Conduct tiered social media research on Twitter and web sources, compiling insights into structured briefings without requiring API keys for basic access.

What to consider before installing: - Prompt-injection: The SKILL.md contains hidden Unicode/control characters (scanner flagged this). These can be used to hide instructions or influence agent behavior — inspect the raw SKILL.md (bytes) and remove unexpected control characters before trusting the skill. - Privacy: The skill logs queries and usage to .logs and caches results in .cache and writes briefings to .briefings in the skill directory. If you will search sensitive topics, run this in a disposable or isolated environment and clear those directories afterwards. - Network endpoints: At runtime the code contacts api.fxtwitter.com, multiple public SearXNG instances, DuckDuckGo HTML, optional Brave search (if BRAVE_API_KEY set), and several public nitter instances. Public community instances can be unreliable or privacy-poor — consider restricting network access or replacing endpoints with your own trusted services. - Optional env var: BRAVE_API_KEY is supported but optional. Do not populate environment variables with unrelated secrets. - Missing chunk: Part of social_research.py was truncated in the supplied bundle. Before installing or granting autonomous execution, review the full source (especially the Tier 3/browser automation section) to ensure it doesn't launch arbitrary binaries, execute remote scripts, or post results to unexpected endpoints. - Safe deployment suggestions: run in a sandbox/container, restrict outbound network egress to known trusted hosts, disable autonomous invocation if you want to manually review outputs, and inspect/clean the .logs/.cache/.briefings directories after use. If you want, I can: (1) show the raw bytes of SKILL.md so you can see/control characters, (2) search the full source for subprocess.exec/requests that post data externally, or (3) suggest simple code edits to remove logging of raw queries or limit external hosts.

Type: OpenClaw Skill Name: oee-social-research Version: 1.0.0 The skill is classified as suspicious due to its broad, self-implemented network access and web scraping capabilities across multiple external services (Brave, SearXNG, DuckDuckGo, Nitter instances) as seen in `social_research.py`. While these actions align with the stated purpose of a social research tool, they introduce a significant attack surface by making requests to and parsing content from various third-party domains. Additionally, the script reads `BRAVE_API_KEY` from environment variables, a capability that, while used for its stated purpose here, could be leveraged for exfiltration in a malicious context. There is no evidence of intentional malicious behavior, but these capabilities present a higher risk profile than a skill strictly relying on agent-provided, sandboxed tools.