X Alpha Scout

Scan crypto and NFT sentiment on X/Twitter for daily alpha reports or token/NFT/project on-demand analyses with sentiment, trends, and red flags.

Key things to consider before installing or enabling this skill: - Credentials: The SKILL.md asks for X_AUTH_TOKEN and X_CT0 (a ct0 session cookie). Those are sensitive — a ct0 cookie can allow actions as your account. Do not supply these from your primary/personal X account. Prefer a read-only or throwaway X account with minimal privileges if you must test. - Registry metadata mismatch: The registry entry lists no required env vars or binaries, but the instructions require the bird CLI and two X credentials. Ask the publisher why the metadata omits these requirements and request that required env vars and binaries be declared in the registry. - bird CLI provenance: The skill depends on an external CLI ('bird'). Install only from a trusted source (official GitHub repo or verified Homebrew tap). Verify the bird project and review its release artifacts before installing. - Delivery channels & scheduling: The skill says to 'deliver' reports via Discord/Telegram/etc. but does not declare how credentials for those channels are provided or stored. Ask for clarification and avoid giving messaging-service tokens unless you understand how they're used and stored. - Autonomy risk: The skill is designed for daily automated runs. If you enable autonomous invocation, ensure the credentials you provide are scoped appropriately and monitor activity. Consider running the skill manually first to validate behavior. - Code review & sandboxing: The included script (scripts/parse_calls.py) appears to only parse JSON tweet output into structured calls (no network exfiltration). Still, review the code and test in an isolated environment. Inspect the referenced GitHub repo (github.com/hammad-btc/alpha-scout-skill) for additional code or installer steps. - Ask the publisher: Because the homepage is missing and the registry metadata is incomplete, ask the skill author to (1) publish a homepage/repo link in the registry, (2) update metadata to list required env vars/binaries, (3) explicitly document delivery mechanisms and credential use, and (4) confirm whether the skill ever posts or performs actions on X (the SKILL.md only shows read/search operations, but that should be explicitly confirmed). If you decide to try the skill, do so with a dedicated/test X account and without sharing primary account cookies/tokens until you're satisfied with provenance and behavior.

Type: OpenClaw Skill Name: x-alpha-scout Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability identified in `SKILL.md`. The agent is instructed to execute `bird search` commands using unsanitized user input (e.g., `bird search "$TICKER"`). This allows a malicious user to inject arbitrary shell commands, potentially leading to Remote Code Execution (RCE) on the host system. While the `scripts/parse_calls.py` script is benign and no explicit malicious intent (like data exfiltration to unauthorized endpoints or persistence mechanisms) is found in the skill's design, the presence of this severe vulnerability makes the skill high-risk.