X Tweet Fetcher

Fetch tweets, replies, and user timelines from X/Twitter without login or API keys. Also supports Chinese platforms (Weibo, Bilibili, CSDN, WeChat). Includes...

This skill largely does what it claims (scrapes X and some Chinese sites), but caution is warranted: - Hidden/undeclared capabilities: The code can read environment variables (e.g., SOGOU_SSH_HOST, TWEET_GROWTH_*), write to local queue/result files, and perform scp/ssh to remote hosts. None of those env vars or config paths are declared in the SKILL.md/metadata. Treat those as surprising capabilities you should double-check before enabling. - SSH/remote execution: If you set SOGOU_SSH_HOST (or use the 'via-ssh' feature), the skill will copy a script to that host and run it via ssh. Only point it at hosts you fully control/trust and understand that your SSH keys will be used for remote execution. - Router queue files: The 'via-router' mode writes commands to and reads results from files (defaults to /root/router-agent/*). Do not enable that unless you know what service/process is on the other end; misconfigured paths could lead to unexpected file writes or interference with system services. - Camofox dependency: The optional Camofox browser is described as an anti-detection tool; installing or running it increases risk and should be audited separately (it's a 3rd-party project outside OpenClaw). The skill assumes a local HTTP API at localhost:9377 — verify that endpoint before connecting it to this skill. - Safe usage recommendations: run this skill in a sandbox/container or non-privileged account, review/grep the code for any operations you find unsafe (file paths, subprocess calls, scp/ssh), and avoid setting env vars like SOGOU_SSH_HOST unless necessary. If you plan to use the router/SSH features, inspect and control the remote host and any router-agent processes first. If you need full assurance, ask the publisher for the canonical upstream source and review it; if you can't verify the Camofox/Camoufox components, avoid enabling the browser-dependent features.

Type: OpenClaw Skill Name: rightister-x-tweet-fetcher Version: 1.4.0 The skill bundle provides extensive social media scraping capabilities but includes highly risky system-level interactions. Specifically, 'scripts/sogou_wechat.py' and 'scripts/fetch_china.py' contain functions to execute arbitrary commands on remote hosts via SSH ('sogou_wechat_search_via_ssh') and interact with a command queue located in a sensitive system path ('/root/router-agent/cmd-queue'). While these are documented as methods to bypass IP-based rate limits using home routers or proxies, they function as primitives for remote code execution (RCE) and lateral movement. The bundle also includes a background version checker ('scripts/version_check.py') that connects to GitHub.