X Single Tweet + Article — 技能工具
v1.0.4[自动翻译] Fetch a single X tweet or X Article with charge-first billing (0.001 USDT/call).
0· 296·1 当前·1 累计
by 安全扫描
OpenClaw
可疑
high confidenceThe skill mostly does what it says (charges then fetches an X tweet/article) but contains undeclared embedded billing credentials and pricing mismatches that don't align with the manifest and raise risk.
评估建议
This skill appears to implement the advertised functionality, but exercise caution before installing or using it:
- The script contains a hard-coded billing API key and skill ID (not declared in the manifest). That key can be used to create charges via the billing endpoint (https://skillpay.me). Ask the publisher who owns that key and why it is embedded. Prefer skills that require you to provide the billing credential as an environment variable instead of shipping one in code.
- The documented p...详细分析 ▾
⚠ 用途与能力
The skill's code implements a charge-first fetcher for an X tweet or X Article as advertised, but it embeds a hard-coded billing API key and SKILL_ID in the script instead of requiring/declaring them as credentials in the manifest. That hidden credential is not explained in the description and gives the code immediate ability to call the billing API.
ℹ 指令范围
SKILL.md only instructs running node scripts/run.js with URL/article args. The runtime script does only network operations (billing calls and web fetches) and does not read local files or unrelated environment state — that is within scope. However, it calls three external services (skillpay.me billing, r.jina.ai proxied fetch, api.fxtwitter.com) which the SKILL.md does not fully document.
✓ 安装机制
No install spec is provided and the skill is instruction+script only, so nothing is written to disk at install time beyond the included script. This is the lowest install risk.
⚠ 凭证需求
The manifest lists no required credentials, yet the script contains an embedded API key (sk_74e1...) and SKILL_ID and uses a default billing URL. The SKILL.md lists optional env overrides, but embedding a secret and not declaring a primary credential is disproportionate and surprising. Also the observable pricing in code (PRICE default '1' and top-up amount 7) does not match the documented 0.001 USDT/call, which is inconsistent and could lead to unexpected charges.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills or system settings, and will not be force-enabled. It runs as invoked and does not persist privileges on the host.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.42026/3/6
Restore charge-first billing in runtime path after local no-billing test mode; insufficient balance now reliably returns PAYMENT_URL before fetch.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install x-single-tweet-article-skill
镜像加速npx clawhub@latest install x-single-tweet-article-skill --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制