by 安全扫描
OpenClaw
安全
high confidenceThe skill's code, runtime instructions, and declared requirements are consistent with its stated purpose: fetching X/Twitter content via FxTwitter (no key) and using xAI/Grok (requires XAI_API_KEY) with a local daily-cap state file.
评估建议
This skill appears to do what it says: fx-fetch uses the public FxTwitter proxy (no credentials) and grok-x-search uses your xAI API key and writes a local .grok-state.json to enforce a daily cap. Before installing: (1) consider whether you trust api.fxtwitter.com and the x.ai service; (2) keep XAI_API_KEY private (do not commit a .env with the key into version control); (3) expect Grok calls to incur cost — the README mentions pricing; (4) the script will create .grok-state.json in the project ...详细分析 ▾
✓ 用途与能力
Name/description match the included scripts. fx-fetch.mjs contacts api.fxtwitter.com and requires only node; grok-x-search.mjs contacts api.x.ai and requires XAI_API_KEY. Optional GROK_DAILY_CAP is present and used. No unrelated credentials or binaries are requested.
✓ 指令范围
SKILL.md instructs running the two included node scripts and documents which calls require the API key. The scripts only read a local .env (optional), write a .grok-state.json next to the repository to enforce a daily cap, and make HTTPS calls to api.fxtwitter.com and api.x.ai. They do not execute shell commands, read other system files, or contact unexpected endpoints.
✓ 安装机制
No install spec is provided (instruction-only); requiring node is appropriate for the provided .mjs scripts. Nothing is downloaded from arbitrary URLs or written to unusual system locations by an installer.
✓ 凭证需求
Only XAI_API_KEY (primary) is required for Grok features; GROK_DAILY_CAP is optional. The requested environment variables align with the documented Grok usage and no unrelated secrets are requested.
✓ 持久化与权限
always:false (normal). The script writes a single .grok-state.json in the repository root to track daily usage — limited, local persistence. The skill does not modify other skills or global agent settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/12
Fix: remove home directory .env scanning — XAI_API_KEY now sourced from env var or cwd .env only. Fix: declare XAI_API_KEY and GROK_DAILY_CAP in skill metadata. Add repository URL.
● 无害
安装命令 点击复制
官方npx clawhub@latest install xpull
镜像加速npx clawhub@latest install xpull --registry https://cn.clawhub-mirror.com
技能文档
Scripts
node {baseDir}/scripts/fx-fetch.mjs "— single tweet or article" node {baseDir}/scripts/fx-fetch.mjs "— thread (OP only, walks upward)" --thread node {baseDir}/scripts/grok-x-search.mjs thread "— full thread from root (requires XAI_API_KEY)" node {baseDir}/scripts/grok-x-search.mjs replies "— replies (requires XAI_API_KEY)" node {baseDir}/scripts/grok-x-search.mjs search "— search (requires XAI_API_KEY)" node {baseDir}/scripts/grok-x-search.mjs search "— search by author (requires XAI_API_KEY)" --from
Configuration
| Variable | Required | Default | Description |
|---|---|---|---|
XAI_API_KEY | For Grok features | — | xAI API key. Get one at console.x.ai. |
GROK_DAILY_CAP | No | 20 | Max Grok calls per day. Resets at midnight UTC. |
XAI_API_KEY as an environment variable or in a .env file in the working directory.Notes
fx-fetch.mjs— free, no credentials, no state. Callsapi.fxtwitter.comonly.grok-x-search.mjs— requiresXAI_API_KEY. Writes.grok-state.jsonnext to the script to enforce the daily cap. Callsapi.x.aionly.- Grok calls cost $5 per 1,000
x_searchtool uses + token costs.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制