← Back to Skills Marketplace
X Search (x402)
by
TzannetosGiannis
· GitHub ↗
· v1.0.0
2508
Downloads
0
Stars
7
Active Installs
1
Versions
Install in OpenClaw
/install x-search-x402
Description
AI-powered X/Twitter search for real-time trends, breaking news, sentiment analysis, and social media insights. Use when users want to search Twitter/X for topics, hashtags, viral content, or public opinion. Costs $0.05 USDC per request via x402 protocol on Base network.
Usage Guidance
Do not run this script or call its npx command until you verify a few things: (1) The registry metadata should list the required credential (X402_PRIVATE_KEY) — its omission is an inconsistency. (2) Inspect the npm package @itzannetos/x402-tools-claude (or avoid npx) — npx -y will download and execute code that could exfiltrate your key. Prefer a pinned package version, or vendor the reviewed code into the skill instead of using npx. (3) Avoid storing private keys in plaintext files in your home directory; use environment variables or a secure signer/wallet. (4) If you must test, do so in an isolated environment (throwaway wallet with minimal funds/USDC) and review network calls made by the npm package. If you cannot validate the npm package author and contents, treat this skill as risky.
Capability Analysis
Type: OpenClaw Skill
Name: x-search
Version: 1.0.0
The skill is classified as suspicious due to its handling of a sensitive private key and reliance on an external dependency. The `SKILL.md` instructs the AI agent to configure and use an `X402_PRIVATE_KEY` (for payment via x402 protocol) by reading it from environment variables or `~/.x402-config.json`. The `scripts/search.sh` script then reads this private key and exports it for use by `npx @itzannetos/x402-tools-claude`. While the private key is stated to be for payment, handling such a sensitive credential and executing an external, third-party `npx` package introduces significant supply chain and credential management risks, even without explicit evidence of malicious intent within the provided files.
Capability Assessment
Purpose & Capability
The skill claims to perform paid X/Twitter searches via the x402 protocol, which reasonably requires a signing/payment key. However, the package/registry metadata declares no required env vars or primary credential while the SKILL.md and script explicitly require an X402 private key. That's an internal inconsistency: either the registry metadata is incomplete or the skill is asking for credentials that weren't disclosed.
Instruction Scope
SKILL.md and scripts/search.sh instruct the agent (and user) to provide a private key via env var or by placing a plaintext JSON file in home/current/PWD. The script reads that file and exports X402_PRIVATE_KEY, then invokes an external tool. There are no instructions limiting how the key may be used; storing a private key in ~/.x402-config.json is insecure and the script grants the external npm tool full access to that key at runtime.
Install Mechanism
There is no install spec in the skill registry, but the shipped script runs npx -y @itzannetos/x402-tools-claude x-search — which will fetch and execute code from the npm registry at runtime without a pinned version. That is a moderate-to-high risk vector: it executes third-party code fetched on demand and could run arbitrary network/file operations. The npm package author and package contents are not referenced in the skill metadata or SKILL.md for review.
Credentials
Requesting an x402/private key is proportionate to a paid blockchain-backed search service, but the skill fails to declare this credential in its manifest (registry shows no required env vars/primary credential). The SKILL.md also recommends storing the private key in plaintext files, increasing risk. The skill does not declare or justify other sensitive environment access, but the undocumented credential requirement is the main issue.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide changes. It is user-invocable and can be invoked autonomously (platform default). It does read files in the user's home/current/PWD scopes but does not modify other skills or global config.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install x-search-x402 - After installation, invoke the skill by name or use
/x-search-x402 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of x-search: AI-powered X/Twitter search tool.
- Real-time search for trends, breaking news, sentiment analysis, and social insights.
- Supports searches by topics, hashtags, viral content, and public opinion.
- Paid per request ($0.05 USDC via x402 protocol on Base network).
- Configurable via environment variable or JSON config file for private key.
- Provides clear error handling and usage examples for quick setup.
Metadata
Frequently Asked Questions
What is X Search (x402)?
AI-powered X/Twitter search for real-time trends, breaking news, sentiment analysis, and social media insights. Use when users want to search Twitter/X for topics, hashtags, viral content, or public opinion. Costs $0.05 USDC per request via x402 protocol on Base network. It is an AI Agent Skill for Claude Code / OpenClaw, with 2508 downloads so far.
How do I install X Search (x402)?
Run "/install x-search-x402" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is X Search (x402) free?
Yes, X Search (x402) is completely free (open-source). You can download, install and use it at no cost.
Which platforms does X Search (x402) support?
X Search (x402) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created X Search (x402)?
It is built and maintained by TzannetosGiannis (@tzannetosgiannis); the current version is v1.0.0.
More Skills