Safety Report

Social Sentiment

Name: Social Sentiment
Rating: 3 (4 reviews)
Author: atyachin

Sentiment analysis for brands and products across Twitter, Reddit, and Instagram. Monitor public opinion, track brand reputation, detect PR crises, surface complaints and praise at scale — analyze 70K+ posts with bulk CSV export and Python/pandas. Social listening and brand monitoring powered by 1.5B+ indexed posts.

2,455Downloads

7Installs

4Stars

5Versions

Search & Retrieval2,116 E-Commerce1,690 Monitoring & Logging1,579 Social Media1,367

Security Analysis

medium confidence

Suspicious0.08 risk

The skill's purpose (social sentiment via Xpoz API) mostly matches its instructions, but the registry metadata, runtime instructions, and install/credential expectations are inconsistent and need clarification before trusting it.

Feb 12, 20261 files4 concerns

Purpose & Capabilitynote

Name and description align with using an xpoz API client (mcporter) to fetch social posts and then analyze CSVs locally. Requiring a CLI named 'mcporter' and describing queries + CSV export is coherent for this purpose.

Instruction Scopeconcern

SKILL.md instructs the agent to run an external 'xpoz-setup' skill for OAuth and to call mcporter commands against mcp.xpoz.ai and to download large CSVs to local paths. The top-level registry metadata omitted the 'xpoz-setup' dependency and the credential/network requirements shown in SKILL.md, creating a mismatch about what the agent will do and what it needs.

Install Mechanismnote

Install uses npm to install the 'mcporter' package and create a 'mcporter' binary. npm installs are common but carry moderate risk — the package should be audited (publisher, popularity, code) before installation. No arbitrary URL downloads or archive extraction are present.

Credentialsconcern

Registry metadata lists no required credentials, but SKILL.md explicitly requires an Xpoz account and OAuth via the xpoz-setup skill and network access to mcp.xpoz.ai. OAuth tokens and any account credentials are sensitive; the inconsistency between declared and actual credential requirements is a red flag and should be clarified.

Persistence & Privilegeok

The skill is not marked 'always: true' and does not request system-wide changes. It delegates authentication to another skill (xpoz-setup) rather than storing credentials itself. No evidence it modifies other skills or agent configs.

Guidance

Before installing: (1) Confirm the source—this skill lists homepage xpoz.ai but source is unknown; prefer verified publishers. (2) Inspect the 'mcporter' npm package (publisher, code, recent activity) because installing it creates a CLI that will run network calls. (3) Review the 'xpoz-setup' skill (OAuth flow) to see what permissions/tokens it requests and where tokens are stored. (4) Verify network host mcp.xpoz.ai is legitimate for Xpoz and whether data sent/received includes sensitive content. (5) Because SKILL.md and registry metadata disagree about credentials/deps, ask the publisher to reconcile them; do not supply OAuth credentials until you understand which component receives/stores them. (6) Consider running installs in an isolated environment (container) and auditing any downloaded CSVs for sensitive data before wider use.

Latest Release

v1.4.0

Added setup section, removed curl

More by @atyachin

Lead Generation

10 stars

Xpoz Social Search

6 stars

Xpoz Setup

4 stars

Instagram Search

3 stars

Social Intelligence

3 stars

Expert Finder

2 stars

Published by @atyachin on ClawHub