← Back to Skills Marketplace
robbyczgw-cla

X Apify

by Robby · GitHub ↗ · v1.0.8 · MIT-0
cross-platform ⚠ suspicious
1207
Downloads
0
Stars
1
Active Installs
8
Versions
Install in OpenClaw
/install x-apify
Description
Fetch X/Twitter data via Apify actors. Search tweets, get user profiles, retrieve specific tweets with replies. Features local caching to save API costs. Wor...
Usage Guidance
Before installing or running this skill: - Expect to provide an APIFY_API_TOKEN (the SKILL.md and code require it). The registry summary shown to you currently omits this — confirm the platform metadata is updated or the skill will fail. - Review and confirm the default APIFY_ACTOR_ID and any per-run costs on Apify (actors cost credits; check the actor's pricing and your account limits). Running actors can incur charges. - Install 'requests' in the Python environment (pip install requests) or run in a contained environment (virtualenv/container). - Because the skill accepts an APIFY token, consider using a scoped or dedicated token and avoid putting secrets into VCS. The SKILL.md already warns about .env files; follow that guidance. - Verify the source repository / homepage (package.json points to a GitHub repo, but the registry summary lists none). Prefer skills with an accessible repository and issues tracker so you can inspect updates and provenance. - The code contains a changelog entry noting fixes for an arbitrary file write vulnerability in prior versions; ensure you are using the published patched version and consider reviewing the cache-related code if you have elevated security requirements. If these inconsistencies (missing declared env in registry, unknown source) worry you, treat the skill as untrusted until the publisher fixes the metadata or provides a verified upstream repository.
Capability Analysis
Type: OpenClaw Skill Name: x-apify Version: 1.0.8 The x-apify skill is a legitimate tool for fetching Twitter/X data via the Apify API. The code demonstrates security awareness by implementing explicit path-traversal protections in `scripts/config.py` (restricting the cache directory to the skill root) and `scripts/fetch_tweets.py` (restricting file output to the script directory or /tmp). It performs standard API interactions with api.apify.com, includes input sanitization for queries and usernames, and lacks any indicators of malicious intent, data exfiltration, or unauthorized execution.
Capability Assessment
Purpose & Capability
The skill's stated purpose is to fetch X/Twitter data via Apify and the SKILL.md, package.json, and code all reference APIFY_API_TOKEN and optionally APIFY_ACTOR_ID and X_APIFY_CACHE_DIR — those are reasonable for the described purpose. However, the registry summary at the top (Requirements: Required env vars: none, Primary credential: none, Homepage: none) conflicts with the included SKILL.md/package.json and the scripts. That registry-level omission is an incoherence: the skill will not work without APIFY_API_TOKEN but the record does not declare it.
Instruction Scope
The runtime instructions and scripts stay within the expected scope: they read APIFY_API_TOKEN/APIFY_ACTOR_ID/X_APIFY_CACHE_DIR, call api.apify.com endpoints, and read/write a local cache directory inside the skill root. The cache path is explicitly constrained to the skill directory to avoid path traversal. No unexpected external endpoints or broad system probing are present in the visible code.
Install Mechanism
There is no automated install/download step (instruction-only skill with included Python scripts). That is lower risk. The scripts require the third-party 'requests' library, but there is no install automation — users must pip install it themselves. No remote arbitrary downloads or extracted archives are performed by the skill.
Credentials
The code and SKILL.md require a single credential (APIFY_API_TOKEN) and optionally APIFY_ACTOR_ID and X_APIFY_CACHE_DIR, which are proportionate to the task. The concern is the metadata mismatch: the top-level registry view claims 'required env vars: none' and 'primary credential: none' despite the code requiring APIFY_API_TOKEN. That omission could mislead users or automated systems about what secrets will be used. Also note Apify usage may incur billing/credits; the default actor has a cost profile and the changelog indicates actor changes — verify the actor id/cost before use.
Persistence & Privilege
The skill is not force-installed (always: false). It only persists its own cache under the skill directory and respects an environment override but prevents escaping the skill root. It does not modify other skills or global agent settings in the visible code.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install x-apify
  3. After installation, invoke the skill by name or use /x-apify
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.8
Security fix: restrict X_APIFY_CACHE_DIR to skill root directory to prevent arbitrary file write vulnerability
v1.0.7
Security fix: restrict X_APIFY_CACHE_DIR to skill root directory to prevent arbitrary file write vulnerability
v1.0.6
- Update version to 1.0.6. - Update dependencies in package.json. - Internal improvements to scripts/config.py and scripts/fetch_tweets.py. - Updated CHANGELOG.md with latest changes.
v1.0.5
Synced version metadata and retained recent output/path safety fixes.
v1.0.3
- Updated version to 1.0.3. - Documentation and metadata refreshed in SKILL.md. - No functional changes to the code.
v1.0.2
Fix homepage URL, metadata consistency
v1.0.1
Fix: switch to quacker~twitter-scraper actor, correct field mapping, tested and working
v1.0.0
Initial release: Tweet search, user profiles, tweet detail + replies, local caching, ClawHub scanner compliant
Metadata
Slug x-apify
Version 1.0.8
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 8
Frequently Asked Questions

What is X Apify?

Fetch X/Twitter data via Apify actors. Search tweets, get user profiles, retrieve specific tweets with replies. Features local caching to save API costs. Wor... It is an AI Agent Skill for Claude Code / OpenClaw, with 1207 downloads so far.

How do I install X Apify?

Run "/install x-apify" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is X Apify free?

Yes, X Apify is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does X Apify support?

X Apify is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created X Apify?

It is built and maintained by Robby (@robbyczgw-cla); the current version is v1.0.8.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments