📦 Twitter Query — 搜索推文
v1.0.0通过 twitterapi.io 只读 API,按账号或关键词抓取 X/Twitter 公开数据,输出结构化 JSON,不含 LLM 与趋势评分。
0· 205·0 当前·0 累计
by 下载技能包
最后更新
2026/3/30
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to do what it claims (fetch tweets via twitterapi.io) and the Python scripts are readable and use only stdlib. Before installing or running it:
- Treat TWITTER_API_KEY as a secret. Only provide your real key if you trust the skill and its source; consider using a throwaway/test key first.
- Verify the platform metadata: the skill's SKILL.md and scripts require TWITTER_API_KEY, but the registry metadata does not declare it — ask the publisher to update the manifest to list req...详细分析 ▾
ℹ 用途与能力
The scripts implement exactly what the name/description promise: read-only queries to twitterapi.io (user timeline and advanced search) and JSON output. However the registry metadata lists no required environment variables while SKILL.md and the scripts clearly require TWITTER_API_KEY (and optionally TWITTER_API_BASE). This metadata mismatch is inconsistent and may lead to missing user prompts or disclosure in install flows.
ℹ 指令范围
SKILL.md instructs the agent/user to set TWITTER_API_KEY and run the two Python scripts; the scripts only perform HTTP GETs to the configured base and print JSON to stdout. They do not access other system files, other credentials, or external telemetry endpoints. One noteworthy instruction-level detail: TWITTER_API_BASE is overrideable; if a user or agent sets that to a malicious URL the skill will send the API key there (the scripts do not restrict allowed hosts).
✓ 安装机制
There is no automated install spec — this is effectively an instruction-and-scripts package. The code uses only Python stdlib and will run locally; nothing is downloaded from arbitrary third-party URLs. This is low install-surface risk.
⚠ 凭证需求
Functionally the skill only needs one secret (TWITTER_API_KEY), which is proportionate. But the package/registry metadata does not declare this required env var or a primary credential (the SKILL.md and scripts do). That mismatch is concerning because platforms may not surface the requirement to users. Additionally, allowing TWITTER_API_BASE to be set by env var means the key could be sent to a non-twitterapi.io host if misconfigured.
✓ 持久化与权限
The skill is not always-enabled and does not request persistent platform privileges. It does not modify other skills or system-wide settings. Autonomous invocation is allowed (default) but is not combined with other alarming privileges here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/30
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install twitter-query
镜像加速npx clawhub@latest install twitter-query --registry https://cn.longxiaskill.com镜像同步中