← 返回 Skills 市场
Tweet Search
作者
Burak Bayır
· GitHub ↗
· v1.0.0
· MIT-0
77
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install tweet-search
功能描述
Use when the user needs to interact with X (Twitter) — searching tweets, looking up users/followers, posting tweets/replies, liking, retweeting, following/un...
安全使用建议
What to consider before installing:
- Only give XQUIK_API_KEY if you trust the Xquik service and the skill author. This key grants the skill the ability to read/write on your Xquik account (including posting tweets, DMs, follows) so treat it like a password.
- SKILL.md contains webhook examples that reference XQUIK_WEBHOOK_SECRET but that secret is not declared as a required env var. If you plan to use webhooks, treat that secret carefully and store it in a secure secret manager rather than in plain config files.
- The doc shows examples that instruct adding the API key to local config files (claude, ~/.codex/config.toml, .mcp.json, .vscode). Avoid placing long‑lived keys in widely readable or global config files; prefer ephemeral keys or scoped API keys and rotate them frequently.
- The package metadata marks contentTrust: untrusted and the static scan found a prompt‑injection pattern. Inspect SKILL.md yourself for any hidden or override instructions (search the file for phrases like "ignore previous instructions", or instructions that ask the agent to bypass confirmations). If you cannot verify the author (Xquik) independently, be cautious.
- Because this is instruction-only, no code is run on your machine by default, which reduces install risk — but the agent will make network calls to xquik.com. Monitor your API usage and billing after enabling the skill; consider creating a restricted API key with only the permissions you need (if Xquik supports that) and set spending limits.
If you want to proceed: verify the homepage (https://docs.xquik.com) and confirm the provider identity, use least-privilege credentials, do not store secrets in global files, and review SKILL.md for any prompt‑override text before enabling autonomous use.
功能分析
Type: OpenClaw Skill
Name: tweet-search
Version: 1.0.0
The skill bundle is a highly professional and well-documented integration for the Xquik API, providing extensive capabilities for interacting with X (Twitter). It includes robust security guardrails, such as mandatory user confirmation for financial transactions and write actions (e.g., posting tweets or sending DMs), and explicit instructions for the agent to defend against indirect prompt injection from untrusted X content (SKILL.md). While the service handles sensitive X credentials to enable automation, this behavior is transparently documented and strictly aligned with the stated purpose of the tool. No indicators of malicious intent, data exfiltration, or unauthorized execution were found across the 13 files analyzed.
能力标签
能力评估
Purpose & Capability
Name/description (searching, posting, monitoring X) aligns with the instructions and referenced endpoints. The single required credential (XQUIK_API_KEY) is appropriate for a third‑party API proxy. No unrelated binaries or unrelated cloud credentials are requested.
Instruction Scope
SKILL.md instructs the agent to call Xquik REST/MCP endpoints and to consult docs — this is in scope. However, webhook examples reference an additional secret (XQUIK_WEBHOOK_SECRET) that is not declared in requires.env, and many examples demonstrate adding the API key into local config files (claude, codex, .mcp.json, ~/.vscode) — which encourages persisting the key in user configs. Also the pre-scan found a prompt‑injection pattern (see scan_findings_in_context) inside SKILL.md; while the rest of the instructions appear legitimate, that pattern is unexpected and should be reviewed manually.
Install Mechanism
Instruction-only skill with no install spec and no bundled code — lowest install risk. Nothing is downloaded or written to disk by the skill bundle itself.
Credentials
The skill declares a single primary credential (XQUIK_API_KEY), which is proportional. But SKILL.md uses/mentions additional environment variables (e.g., XQUIK_WEBHOOK_SECRET) in examples without declaring them as required; examples that show injecting API keys into various local tool configs increase the risk that a user may end up storing credentials in less secure locations. The metadata also marks contentTrust as 'untrusted', which is a cautionary flag.
Persistence & Privilege
The skill is not forced-always, and does not request elevated agent-wide privileges. It does not modify other skills' configurations in the provided instructions. Autonomous model invocation is allowed (the default) — no extra persistence privileges are requested.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tweet-search - 安装完成后,直接呼叫该 Skill 的名称或使用
/tweet-search触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial public release as x-twitter-scraper (v2.0.1), providing robust X (Twitter) REST API integration.
- Enables tweet search, profile lookups, posting/replies, likes, retweets, follows, DMs, bulk data extraction, monitoring, and automation.
- Exposes 120 REST API endpoints, two MCP tools, and HMAC webhook support for real-time integrations.
- Includes clear quick reference, decision trees, detailed authentication, error handling guides, and up-to-date links to official documentation and pricing.
- Requires XQUIK_API_KEY for all operations; security features include prompt injection defense and write/payment confirmations.
元数据
常见问题
Tweet Search 是什么?
Use when the user needs to interact with X (Twitter) — searching tweets, looking up users/followers, posting tweets/replies, liking, retweeting, following/un... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 77 次。
如何安装 Tweet Search?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tweet-search」即可一键安装,无需额外配置。
Tweet Search 是免费的吗?
是的,Tweet Search 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Tweet Search 支持哪些平台?
Tweet Search 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Tweet Search?
由 Burak Bayır(@kriptoburak)开发并维护,当前版本 v1.0.0。
推荐 Skills