← 返回 Skills 市场
X Search (x402)
作者
TzannetosGiannis
· GitHub ↗
· v1.0.0
2508
总下载
0
收藏
7
当前安装
1
版本数
在 OpenClaw 中安装
/install x-search-x402
功能描述
AI-powered X/Twitter search for real-time trends, breaking news, sentiment analysis, and social media insights. Use when users want to search Twitter/X for topics, hashtags, viral content, or public opinion. Costs $0.05 USDC per request via x402 protocol on Base network.
安全使用建议
Do not run this script or call its npx command until you verify a few things: (1) The registry metadata should list the required credential (X402_PRIVATE_KEY) — its omission is an inconsistency. (2) Inspect the npm package @itzannetos/x402-tools-claude (or avoid npx) — npx -y will download and execute code that could exfiltrate your key. Prefer a pinned package version, or vendor the reviewed code into the skill instead of using npx. (3) Avoid storing private keys in plaintext files in your home directory; use environment variables or a secure signer/wallet. (4) If you must test, do so in an isolated environment (throwaway wallet with minimal funds/USDC) and review network calls made by the npm package. If you cannot validate the npm package author and contents, treat this skill as risky.
功能分析
Type: OpenClaw Skill
Name: x-search
Version: 1.0.0
The skill is classified as suspicious due to its handling of a sensitive private key and reliance on an external dependency. The `SKILL.md` instructs the AI agent to configure and use an `X402_PRIVATE_KEY` (for payment via x402 protocol) by reading it from environment variables or `~/.x402-config.json`. The `scripts/search.sh` script then reads this private key and exports it for use by `npx @itzannetos/x402-tools-claude`. While the private key is stated to be for payment, handling such a sensitive credential and executing an external, third-party `npx` package introduces significant supply chain and credential management risks, even without explicit evidence of malicious intent within the provided files.
能力评估
Purpose & Capability
The skill claims to perform paid X/Twitter searches via the x402 protocol, which reasonably requires a signing/payment key. However, the package/registry metadata declares no required env vars or primary credential while the SKILL.md and script explicitly require an X402 private key. That's an internal inconsistency: either the registry metadata is incomplete or the skill is asking for credentials that weren't disclosed.
Instruction Scope
SKILL.md and scripts/search.sh instruct the agent (and user) to provide a private key via env var or by placing a plaintext JSON file in home/current/PWD. The script reads that file and exports X402_PRIVATE_KEY, then invokes an external tool. There are no instructions limiting how the key may be used; storing a private key in ~/.x402-config.json is insecure and the script grants the external npm tool full access to that key at runtime.
Install Mechanism
There is no install spec in the skill registry, but the shipped script runs npx -y @itzannetos/x402-tools-claude x-search — which will fetch and execute code from the npm registry at runtime without a pinned version. That is a moderate-to-high risk vector: it executes third-party code fetched on demand and could run arbitrary network/file operations. The npm package author and package contents are not referenced in the skill metadata or SKILL.md for review.
Credentials
Requesting an x402/private key is proportionate to a paid blockchain-backed search service, but the skill fails to declare this credential in its manifest (registry shows no required env vars/primary credential). The SKILL.md also recommends storing the private key in plaintext files, increasing risk. The skill does not declare or justify other sensitive environment access, but the undocumented credential requirement is the main issue.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide changes. It is user-invocable and can be invoked autonomously (platform default). It does read files in the user's home/current/PWD scopes but does not modify other skills or global config.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install x-search-x402 - 安装完成后,直接呼叫该 Skill 的名称或使用
/x-search-x402触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of x-search: AI-powered X/Twitter search tool.
- Real-time search for trends, breaking news, sentiment analysis, and social insights.
- Supports searches by topics, hashtags, viral content, and public opinion.
- Paid per request ($0.05 USDC via x402 protocol on Base network).
- Configurable via environment variable or JSON config file for private key.
- Provides clear error handling and usage examples for quick setup.
元数据
常见问题
X Search (x402) 是什么?
AI-powered X/Twitter search for real-time trends, breaking news, sentiment analysis, and social media insights. Use when users want to search Twitter/X for topics, hashtags, viral content, or public opinion. Costs $0.05 USDC per request via x402 protocol on Base network. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2508 次。
如何安装 X Search (x402)?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install x-search-x402」即可一键安装,无需额外配置。
X Search (x402) 是免费的吗?
是的,X Search (x402) 完全免费(开源免费),可自由下载、安装和使用。
X Search (x402) 支持哪些平台?
X Search (x402) 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 X Search (x402)?
由 TzannetosGiannis(@tzannetosgiannis)开发并维护,当前版本 v1.0.0。
推荐 Skills