← 返回 Skills 市场
1207
总下载
0
收藏
1
当前安装
8
版本数
在 OpenClaw 中安装
/install x-apify
功能描述
Fetch X/Twitter data via Apify actors. Search tweets, get user profiles, retrieve specific tweets with replies. Features local caching to save API costs. Wor...
安全使用建议
Before installing or running this skill:
- Expect to provide an APIFY_API_TOKEN (the SKILL.md and code require it). The registry summary shown to you currently omits this — confirm the platform metadata is updated or the skill will fail.
- Review and confirm the default APIFY_ACTOR_ID and any per-run costs on Apify (actors cost credits; check the actor's pricing and your account limits). Running actors can incur charges.
- Install 'requests' in the Python environment (pip install requests) or run in a contained environment (virtualenv/container).
- Because the skill accepts an APIFY token, consider using a scoped or dedicated token and avoid putting secrets into VCS. The SKILL.md already warns about .env files; follow that guidance.
- Verify the source repository / homepage (package.json points to a GitHub repo, but the registry summary lists none). Prefer skills with an accessible repository and issues tracker so you can inspect updates and provenance.
- The code contains a changelog entry noting fixes for an arbitrary file write vulnerability in prior versions; ensure you are using the published patched version and consider reviewing the cache-related code if you have elevated security requirements.
If these inconsistencies (missing declared env in registry, unknown source) worry you, treat the skill as untrusted until the publisher fixes the metadata or provides a verified upstream repository.
功能分析
Type: OpenClaw Skill
Name: x-apify
Version: 1.0.8
The x-apify skill is a legitimate tool for fetching Twitter/X data via the Apify API. The code demonstrates security awareness by implementing explicit path-traversal protections in `scripts/config.py` (restricting the cache directory to the skill root) and `scripts/fetch_tweets.py` (restricting file output to the script directory or /tmp). It performs standard API interactions with api.apify.com, includes input sanitization for queries and usernames, and lacks any indicators of malicious intent, data exfiltration, or unauthorized execution.
能力评估
Purpose & Capability
The skill's stated purpose is to fetch X/Twitter data via Apify and the SKILL.md, package.json, and code all reference APIFY_API_TOKEN and optionally APIFY_ACTOR_ID and X_APIFY_CACHE_DIR — those are reasonable for the described purpose. However, the registry summary at the top (Requirements: Required env vars: none, Primary credential: none, Homepage: none) conflicts with the included SKILL.md/package.json and the scripts. That registry-level omission is an incoherence: the skill will not work without APIFY_API_TOKEN but the record does not declare it.
Instruction Scope
The runtime instructions and scripts stay within the expected scope: they read APIFY_API_TOKEN/APIFY_ACTOR_ID/X_APIFY_CACHE_DIR, call api.apify.com endpoints, and read/write a local cache directory inside the skill root. The cache path is explicitly constrained to the skill directory to avoid path traversal. No unexpected external endpoints or broad system probing are present in the visible code.
Install Mechanism
There is no automated install/download step (instruction-only skill with included Python scripts). That is lower risk. The scripts require the third-party 'requests' library, but there is no install automation — users must pip install it themselves. No remote arbitrary downloads or extracted archives are performed by the skill.
Credentials
The code and SKILL.md require a single credential (APIFY_API_TOKEN) and optionally APIFY_ACTOR_ID and X_APIFY_CACHE_DIR, which are proportionate to the task. The concern is the metadata mismatch: the top-level registry view claims 'required env vars: none' and 'primary credential: none' despite the code requiring APIFY_API_TOKEN. That omission could mislead users or automated systems about what secrets will be used. Also note Apify usage may incur billing/credits; the default actor has a cost profile and the changelog indicates actor changes — verify the actor id/cost before use.
Persistence & Privilege
The skill is not force-installed (always: false). It only persists its own cache under the skill directory and respects an environment override but prevents escaping the skill root. It does not modify other skills or global agent settings in the visible code.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install x-apify - 安装完成后,直接呼叫该 Skill 的名称或使用
/x-apify触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.8
Security fix: restrict X_APIFY_CACHE_DIR to skill root directory to prevent arbitrary file write vulnerability
v1.0.7
Security fix: restrict X_APIFY_CACHE_DIR to skill root directory to prevent arbitrary file write vulnerability
v1.0.6
- Update version to 1.0.6.
- Update dependencies in package.json.
- Internal improvements to scripts/config.py and scripts/fetch_tweets.py.
- Updated CHANGELOG.md with latest changes.
v1.0.5
Synced version metadata and retained recent output/path safety fixes.
v1.0.3
- Updated version to 1.0.3.
- Documentation and metadata refreshed in SKILL.md.
- No functional changes to the code.
v1.0.2
Fix homepage URL, metadata consistency
v1.0.1
Fix: switch to quacker~twitter-scraper actor, correct field mapping, tested and working
v1.0.0
Initial release: Tweet search, user profiles, tweet detail + replies, local caching, ClawHub scanner compliant
元数据
常见问题
X Apify 是什么?
Fetch X/Twitter data via Apify actors. Search tweets, get user profiles, retrieve specific tweets with replies. Features local caching to save API costs. Wor... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1207 次。
如何安装 X Apify?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install x-apify」即可一键安装,无需额外配置。
X Apify 是免费的吗?
是的,X Apify 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
X Apify 支持哪些平台?
X Apify 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 X Apify?
由 Robby(@robbyczgw-cla)开发并维护,当前版本 v1.0.8。
推荐 Skills