Twitter/X Reader

Extract complete data from X/Twitter tweets by URL, including text, author info, timestamps, engagement stats, media, quoted tweets, and thread context.

This skill appears to do what it says: it fetches tweet data via api.fxtwitter.com and falls back to public Nitter instances. Before installing: (1) review the scripts yourself (they're shell scripts and human-readable); (2) be aware that fetching tweets will expose your IP address and User-Agent to the remote host(s) — FxTwitter and any chosen Nitter instance will see those request headers; (3) the Nitter fallback queries multiple community instances (some may be unreliable or untrusted), so if privacy is a concern restrict or remove fallback instances or run the skill only when necessary; (4) verify network access and that curl/jq are up-to-date; (5) test the skill in an isolated environment if you want to avoid contacting third‑party hosts until you've reviewed the code. Overall the skill is internally consistent and does not ask for excessive permissions or secrets.

Type: OpenClaw Skill Name: twitter-reader Version: 1.0.0 The skill is designed to read tweets from X/Twitter using the FxTwitter API and Nitter as a fallback. While the overall intent appears benign and there are no direct prompt injection attempts in SKILL.md, the `scripts/read_tweet.sh` and `scripts/read_thread.sh` files contain a potential shell injection vulnerability. The `$user` variable, extracted from user-provided URLs using a broad regex `([^/]+)`, is directly inserted into `curl` commands without explicit sanitization. Although `curl` is generally robust, a crafted username could theoretically introduce shell metacharacters, posing a low-probability risk for command execution. Additionally, `scripts/read_tweet_nitter.sh` uses fragile `grep`/`sed` parsing for HTML, which is a reliability vulnerability, though not directly malicious.