X / Twitter Search

Search X/Twitter in real-time using Grok or X API. Find tweets, trends, and discussions with citations.

This skill appears to do what it says, but take these precautions before installing: (1) Inspect scripts/search.js (already included) and confirm you are comfortable sending XAI_API_KEY to api.x.ai and any X_BEARER_TOKEN to api.x.com. (2) Provide only the credential(s) you intend to use (e.g., give XAI_API_KEY only if using Grok mode); consider using an API key with limited scope and easy rotation. (3) Because the skill runs a local Node script, run it in an environment you control (not with highly privileged credentials). (4) Note the scanner flagged 'system-prompt-override' — this is expected because the skill sends a systemPrompt to the remote model; if you are concerned, review the payload formatting in the script. (5) If you have strict security needs, run the script in an isolated container or sandbox before adding to production.

Type: OpenClaw Skill Name: x-twitter-search Version: 1.0.1 The skill is classified as suspicious due to a prompt injection vulnerability in `scripts/search.js`. The user's search query (`options.query`) is directly embedded into the `payload.input` sent to the xAI Grok model without sufficient sanitization. While the script's `extractContent` function attempts to filter the model's response, a malicious query could potentially manipulate the Grok model's behavior or lead to unintended information disclosure from the model's context. However, there is no evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints or installation of backdoors; network calls are confined to `api.x.ai` and `api.x.com` as declared in `SKILL.md`.