Use xfetch CLI to fetch X/Twitter data - tweets, user profiles, search results, timelines, lists, DMs, and notifications. Use this skill whenever you need to...
Security Analysis
medium confidenceThe skill's instructions match a Twitter-scraping tool, but it instructs accessing sensitive browser cookies/profiles and implies installing an npm package from an unknown source without an install spec, which raises privacy and supply-chain concerns.
The name/description state the tool fetches X/Twitter data and the SKILL.md describes exactly that (tweets, profiles, DMs, notifications, exports). The requested capabilities (cookie-based auth, pagination, output formats) are coherent with a scraper CLI.
The SKILL.md explicitly instructs extracting cookies from the user's browser (chrome/firefox/safari/arc/brave and specific profiles), setting auth tokens, reading/writing cursor state and output DB/files, and accessing DMs and bookmarks. Those actions require reading local browser profile data and writing local files — sensitive operations not declared elsewhere. The instructions also allow proxy URLs with credentials and proxy-file rotation, which could cause credential handling/storage concerns.
There is no install spec (instruction-only), which is low risk by itself, but the markdown references running the CLI via 'npx @lxgic/xfetch' / 'bunx @lxgic/xfetch' and says it's installed globally as 'xfetch'. That implies runtime downloading/executing an npm package from an external registry (supply-chain risk). The skill does not supply a vetted install source or verify package integrity.
requires.env is empty, but the instructions require access to local browser cookies/profiles and accept proxy URLs (which can include credentials). The skill can store auth tokens and output files. These are highly sensitive capabilities relative to the simple 'fetch tweets' description and should be explicitly declared and justified.
The skill is not marked 'always:true' and is user-invocable; it does instruct saving and clearing its own auth state but does not request persistent platform privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with an 'always' flag.
Guidance
This SKILL.md is coherent with a cookie-based X/Twitter scraper, but it requires reading browser cookies/profiles (sensitive) and implies using an npm package (@lxgic/xfetch) from an unknown source. Before installing or using it: 1) Confirm where the 'xfetch' binary would come from and review the npm package source and maintainer; 2) Consider the privacy risk of allowing access to your browser profile/cookies and DMs — don't run it on machines with sensitive accounts; 3) Prefer using official APIs with scoped credentials where possible; 4) If you must run it, do so in an isolated environment (VM/container) and inspect where it stores auth tokens and any downloaded code; 5) Be aware this may violate X/Twitter terms of service and could expose private messages and tokens if misused.
Latest Release
v1.0.0
Initial release of xfetch – a CLI tool for scraping and exporting X/Twitter data using browser cookies. - Fetch tweets, user profiles, threads, timelines, lists, DMs, and notifications via simple CLI commands. - Flexible authentication using browser cookie extraction or manual token entry. - Extensive pagination and formatting options: output as JSON, JSONL, CSV, or directly to SQLite. - Supports timeline, search, user lookup, likes, bookmarks, lists, followers, DMs, and notifications. - Includes options for proxies, request delay, color control, and error recovery via query ID refresh.
More by @feiskyer
Published by @feiskyer on ClawHub
