felo-x-search Security Report — Low Risk | ClawSafe

10 /100

felo-x-search

Search X (Twitter) data using Felo X Search API

A straightforward X/Twitter search skill with no malicious behavior detected; only minor documentation and dependency hygiene issues present.

Skill Namefelo-x-search

Duration26.8s

Enginepi

✓

Safe to install

The skill is safe to use. Consider pinning external dependencies if any are added in the future, and update the placeholder API key in documentation to emphasize it should never be committed.

Findings 2 items

Severity	Finding	Location
Low	Placeholder API key value in documentation Doc Mismatch README.md line 22 shows FELO_API_KEY="your-api-key-here" with the placeholder value exposed. While clearly a template example, credential values in docs can be mistakenly copy-pasted into configs. No actual credential is exposed. `export FELO_API_KEY="your-api-key-here"` → Change the example to a clearly fictitious placeholder like "YOUR_FELO_API_KEY" or a masked form to prevent accidental use.	`README.md:22`
Low	No package.json — no explicit dependency tracking Supply Chain The skill uses Node.js built-in fetch (available since Node 18) with no package.json or package-lock.json. This means no dependency pinning for external packages, though the attack surface is minimal since no external dependencies are used. `#!/usr/bin/env node` → Add a minimal package.json with scripts section for clarity and reproducibility.	`scripts/run_x_search.mjs:1`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	run_x_search.mjs:74 — fetch() call to openapi.felo.ai
Environment	`READ`	`READ`	✓ Aligned	run_x_search.mjs:237 — reads FELO_API_KEY only
Shell	`NONE`	`NONE`	—	No subprocess or shell invocation in codebase
Filesystem	`NONE`	`NONE`	—	No file read/write operations in run_x_search.mjs
Skill Invoke	`ADMIN`	`ADMIN`	✓ Aligned	SKILL.md declares skill trigger keywords and explicit commands

1 High 9 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your-api-key-here"

README.md:22

🔗

Medium External URL 外部 URL

https://openapi.felo.ai/docs/api-reference/v2/x-search.html

README.md:3

🔗

Medium External URL 外部 URL

https://openapi.felo.ai/v2/x/tweet/search

SKILL.md:112

🔗

Medium External URL 外部 URL

https://openapi.felo.ai/v2/x/user/search

SKILL.md:118

🔗

Medium External URL 外部 URL

https://openapi.felo.ai/v2/x/user/info

SKILL.md:124

🔗

Medium External URL 外部 URL

https://openapi.felo.ai/v2/x/user/tweets

SKILL.md:130

🔗

Medium External URL 外部 URL

https://openapi.felo.ai/v2/x/tweet/replies

SKILL.md:136

🔗

Medium External URL 外部 URL

https://openapi.felo.ai

SKILL.md:185

🔗

Medium External URL 外部 URL

https://openapi.felo.ai/docs/

SKILL.md:204

File Tree

4 files · 24.1 KB · 682 lines

JavaScript 1f · 385L Markdown 2f · 285L JSON 1f · 12L

├─ ▾ 📁 scripts

│ └─ 📜 run_x_search.mjs JavaScript 385L · 15.1 KB

├─ 📋 clawhub.json JSON 12L · 750 B

├─ 📝 README.md Markdown 81L · 2.6 KB

└─ 📝 SKILL.md Markdown 204L · 5.7 KB

Security Positives

✓ All network I/O goes exclusively to the declared Felo API base (openapi.felo.ai) over HTTPS

✓ No file system read/write operations — skill is stateless

✓ No shell command execution or subprocess invocation

✓ No iteration over environment variables or credential harvesting

✓ No obfuscation techniques (no base64, eval, or dynamic code generation)

✓ No sensitive path access (~/.ssh, ~/.aws, .env files, etc.)

✓ No data exfiltration or outbound data transfer beyond the intended API call

✓ Code is well-structured, readable, and matches the documented behavior exactly

✓ API key is read-only from environment, never logged or transmitted beyond the API call

✓ Error handling is proper — no information leakage in error messages

Scan Report

Findings 2 items

File Tree

Security Positives