Social Intelligence — AI-powered social media research across Twitter, Instagram, and Reddit. 1.5B+ posts indexed. Find experts, generate leads, monitor brands, analyze sentiment, discover influencers, and export data. The complete social intelligence toolkit for AI agents via MCP.
Security Analysis
medium confidenceThe skill's stated purpose (social media research) matches the instructions, but there are inconsistencies in the declared requirements and a non-reviewed npm install step (mcporter) that warrants caution.
The SKILL.md describes a social intelligence platform that uses an MCP backend and a CLI (mcporter). Requiring a CLI and an Xpoz account (OAuth via xpoz-setup) is consistent with the described capabilities. However registry metadata earlier listed no credentials or network requirements while the SKILL.md's embedded metadata explicitly requires the xpoz-setup skill, network access to mcp.xpoz.ai, and an Xpoz account—this discrepancy in declared requirements is an incoherence.
Runtime instructions are limited to calling the mcporter CLI and referring to related skills (xpoz-setup, various sub-skills). The document does not instruct the agent to read arbitrary local files or unrelated environment variables, nor to exfiltrate data to unexpected endpoints beyond the MCP server. Example commands are explicit (e.g., mcporter call xpoz.getTwitterPostsByKeywords).
Installation is an npm package install of 'mcporter' which will create a binary. npm installs are moderate-risk because package code executes on the host; the package author/publisher is not identified here. The install does not use a well-known release URL but uses the npm registry (expected for Node CLIs). Because no package provenance is provided and the owner/source is 'unknown', this is a point of concern.
The registry entry lists no required environment variables or primary credential, but SKILL.md metadata requires an Xpoz account authenticated via the xpoz-setup skill (OAuth 2.1). Requiring an account and OAuth is proportionate to the functionality; the inconsistency between declared/actual credential requirements should be resolved before trusting the skill. No unrelated credentials or high-privilege env vars are requested in the instructions.
The skill does not request always:true and does not declare writing/modifying other skills or system-wide settings. It does rely on an OAuth setup skill (xpoz-setup) to obtain access keys; review how that skill stores tokens, but the persistence/privilege level here is typical and not excessive on its own.
Guidance
This skill appears to do what it says (run a CLI to query an Xpoz MCP backend), but there are a few red flags to check before installing: 1) Inspect the npm package 'mcporter' (publisher, homepage, source code, recent versions) — npm packages run code on your machine. 2) Verify the xpoz-setup skill: what OAuth scopes it requests and where it stores tokens. 3) Confirm the MCP domain (mcp.xpoz.ai) and the Xpoz service (xpoz.ai) are legitimate and that using them meets platform Terms of Service (Twitter/Instagram/Reddit/TikTok scraping can violate ToS). 4) Resolve the metadata mismatch (registry shows no credentials/network but SKILL.md requires them) — ask the publisher to correct the manifest. If you can't verify the npm package or xpoz-setup behavior, avoid installing or run it in an isolated environment (sandbox/CI) and review the package contents first.
Latest Release
v1.1.1
Added setup section, fixed dead link
More by @atyachin
Published by @atyachin on ClawHub
